Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can i use sendemail without SMTP?

DontStopNowBaby
Explorer
‎07-29-2018 08:51 PM

Hi all,

Im a new user and I've set SPLUNK to send some email alerts using sendemail from SPLUNK search head directly to a destination server. However i don't have an smtp server setup, nor a smtp relay host.

Is it possible for SPLUNK to send email alerts, without SMTP?

I am currently trying but am receiving a connection error [Errno 110]

I've been testing the sendemail alert using the below :
index="main" | head 1| sendemail to="alert@security.com" server=10.200.300.400:25 subject="test"

10.200.300.400 is the destination server.
in my mail settings, i've set the mail host as 10.200.300.400:25

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-30-2018 05:15 AM

SMTP is Simple Mail Transport Protocol. It’s the only protocol for sending email. Receiving can happen on POP or IMAP but sending is always SMTP unless you’re in a Novell network or something.

If you do not specify change the default server in the settings, then splunk will use localhost’s sendmail (if on Linux) to send email as the local server. If you do specify a mail server, then it uses the server you give as a mail gateway but requires SMTP to make the connection to the mail gateway.

100.200.300.400 is not a valid IP address. I assume you’re just giving any example, but wanted to mention that.

Run this search to find the errors, and then tell us what error you’re getting.

index=_internal sendmail

So to answer your question, SMTP is required to send any email from any software.

Reply

DontStopNowBaby
Explorer
‎07-30-2018 06:53 PM

Yeap the IP 100.200.300.400 is just a fake IP i gave as an example.

im running the splunk on linux instance, and have left the mail server as blank.
Do i need to configure anything on splunk to enable sending mail? or would it be enabled by default?
Apologies if the questions seem rather noobish, but i've inherited a splunk setup without prior knowledge.

Running the command index=_internal sendmail you gave showed no errors.
However i'm not sure what the logs are deciphering :

07-31-2018 09:37:34.928 +0800 INFO StreamedSearch - Streamed search search starting: search_id=remote_server_1533001054.153589, server=SearchHead, active_searches=2, search='litsearch ( index=_internal sendmail ) | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" | remotetl nb=300 et=1532912400.000000 lt=1533001054.000000 remove=true max_count=1000 max_prefetch=100', remote_ttl=600, apiStartTime='Mon Jul 30 09:00:00 2018', apiEndTime='Tue Jul 31 09:37:34 2018', savedsearch_name=""
`

By the way is is possible to use the sendemail without SMTP?
Like can i refer the mailhost to the splunk indexer?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-31-2018 04:22 AM

The log message you clipped is the result of your own search for index=_internal sendmail. I usually ignore those unless I'm debugging a search problem. Add sourcetype!=splunkd_remote_searches to your query.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-31-2018 04:29 AM

It defaults to localhost correct
@richgalloway ? I updated my answer as such. Thanks!

0 Karma
Reply

DontStopNowBaby
Explorer
‎07-31-2018 07:30 PM

I added the sourcetype!=splunkd_remote_searches. But its not showing anything helpful
I'll try to set the mailserver to a SMTP gateway, and test.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-31-2018 04:34 AM 
mailserver = <host>[:<port>]
* You must have a Simple Mail Transfer Protocol (SMTP) server available
  to send email. This is not included with Splunk.
* Specifies the SMTP mail server to use when sending emails.
* <host> can be either the hostname or the IP address.
* Optionally, specify the SMTP <port> that Splunk should connect to.
* When the "use_ssl" attribute (see below) is set to 1 (true), you
  must specify both <host> and <port>.
  (Example: "example.com:465")
* Defaults to $LOCALHOST:25.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-30-2018 04:02 AM

SMTP is required to send mail from Splunk.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...