All Apps and Add-ons

Linux DHCP and emails

stefanlasiewski
Contributor

In any case, you will want to change
the "Email address(es)" from
"example@example.com" to your desired
email address or distribution list.

This app is sending close to 100 messages every day. They all go to 'example@example.com' which is bouncing around the email system. By default email on most Linux systems will have the 'From:' address of 'splunk@somehost.yourorganization.org', which also goes nowhere (Or perhaps it goes to postmaster@yourorganization.org). This results in hundreds of double-bounced emails which remain in email purgatory.

How would one change this email address? I cannot find that setting anywhere.

Tags (1)
1 Solution

stefanlasiewski
Contributor

Here's how I solved this.

I noticed that the savedsearch dhcpd_alert_new_mac_address_15m was configured to send an email every 15 minutes. By default, it sends email to example@example.org . That is a ton of email (96 incorrect emails per day?). This is viewable under "Splunk> Manager » Searches and reports » dhcpd_alert_new_mac_address_15m", and on the commandline at $SPLUNK_HOME/etc/apps/dhcpd/default/savedsearches.conf has this:

[dhcpd_alert_new_mac_address_15m]                                                   
action.email = 1                                                                    
action.email.sendresults = 1                                                        
action.email.to = example@example.com                                               
counttype = number of events                                                        
cron_schedule = */15 * * * *                                                        
description = Alerts on mac addresses seen in the last 15 minutes that were not in the dhcpd_mac-hostname lookup table                                                   

To disable this, I simply unchecked the box next to "Schedule this search". On the commandline, the following file was added to $SPLUNK_HOME/etc/apps/dhcpd/local/savedsearches.conf, and now the emails have stopped.

[dhcpd_alert_new_mac_address_15m]  
disabled = 1   

View solution in original post

0 Karma

stefanlasiewski
Contributor

Here's how I solved this.

I noticed that the savedsearch dhcpd_alert_new_mac_address_15m was configured to send an email every 15 minutes. By default, it sends email to example@example.org . That is a ton of email (96 incorrect emails per day?). This is viewable under "Splunk> Manager » Searches and reports » dhcpd_alert_new_mac_address_15m", and on the commandline at $SPLUNK_HOME/etc/apps/dhcpd/default/savedsearches.conf has this:

[dhcpd_alert_new_mac_address_15m]                                                   
action.email = 1                                                                    
action.email.sendresults = 1                                                        
action.email.to = example@example.com                                               
counttype = number of events                                                        
cron_schedule = */15 * * * *                                                        
description = Alerts on mac addresses seen in the last 15 minutes that were not in the dhcpd_mac-hostname lookup table                                                   

To disable this, I simply unchecked the box next to "Schedule this search". On the commandline, the following file was added to $SPLUNK_HOME/etc/apps/dhcpd/local/savedsearches.conf, and now the emails have stopped.

[dhcpd_alert_new_mac_address_15m]  
disabled = 1   
0 Karma

araitz
Splunk Employee
Splunk Employee

The only way to do this right now is to edit each saved search manually. I will consider making this easier in a future version.

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>