Monitoring Splunk

After upgrade to 7.2.6 unable to send test email with sendemail.py

mchang_splunk
Splunk Employee
Splunk Employee

After upgrade to 7.2.6, scheduled searches and/or alerts that would send PDF via email no longer work.

Running these searches manually ad-hoc produces the correct results expected. Previewing the PDF also works correctly, showing that the PDF is generated.

Looking in python.log, warnings are shown:

2019-04-25 03:01:02,688 -0500 WARNING sendemail:1398 - search results is empty, no email will be sent
2019-04-25 03:02:02,839 -0500 WARNING sendemail:1398 - search results is empty, no email will be sent
2019-04-25 03:02:02,872 -0500 WARNING sendemail:1398 - search results is empty, no email will be sent
2019-04-25 03:02:02,904 -0500 WARNING sendemail:1398 - search results is empty, no email will be sent
2019-04-25 03:03:03,140 -0500 WARNING sendemail:1398 - search results is empty, no email will be sent
2019-04-25 03:03:03,146 -0500 WARNING sendemail:1398 - search results is empty, no email will be sent
2019-04-25 03:10:03,206 -0500 WARNING sendemail:1398 - search results is empty, no email will be sent
2019-04-25 06:00:03,332 -0500 WARNING sendemail:1398 - search results is empty, no email will be sent

We are able to reproduce this in our repro environments.

1 Solution

mchang_splunk
Splunk Employee
Splunk Employee

This is a known issue SPL-169625 which will be fixed in later version.

Current workaround is:
1. Replace 'sendemail.py' from 7.2.6 with the same file in version 7.2.5.1.
2. Edit the saved search in the "Search" field replace "| noop" with "| makeresults"

View solution in original post

solone1020
Engager

Find the file C:\Program Files\Splunk\etc\apps\search\bin\sendemail.py
Edit line 1392
if results: -> if True:
Can fix the issue.

0 Karma

jhidalgo_splunk
Splunk Employee
Splunk Employee

For workaround #2 do:
Goto Settings > All configurations > click on the _ScheduledView that you just created and the search field will default to "| noop". Change the Search default to "| makeresults" for it to work for now.

0 Karma

gjanders
SplunkTrust
SplunkTrust

Are workaround's #1 and #2 two alternatives? Or do both need to be done?

Thanks

0 Karma

jhidalgo_splunk
Splunk Employee
Splunk Employee

They are alternatives, you do not need to do both of them.

mchang_splunk
Splunk Employee
Splunk Employee

This is a known issue SPL-169625 which will be fixed in later version.

Current workaround is:
1. Replace 'sendemail.py' from 7.2.6 with the same file in version 7.2.5.1.
2. Edit the saved search in the "Search" field replace "| noop" with "| makeresults"

gunzola
Path Finder

Please update https://docs.splunk.com/Documentation/Splunk/7.2.6/ReleaseNotes/Knownissues
Description of impact/defect is not clear. We have several customers relying on scheduled pdf - not working for some (upgraded installations).

iserc
Engager

I concur. Please update the release notes with detailed workarounds. Email reports failures from an enterprise level logging solution is not a small issue.

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...