We authenticate to AD through LDAP and have run into the known issue about Splunk not being able to pull email addresses. Has anyone found a work around (other than creating hundreds of local users) to allow Splunk to send alerts to email?
This seems to be a somewhat common misunderstanding about how email alerts work.
When you configure an alert, you define as part of the alert action what email addresses to send to when the alert fires. The Splunk users and the definitions of their email addresses are not at all used by the alert mail sending code.
Now, I see many of the comments above about how certain mail addresses are working and others are not. I'm don't immediately see what is wrong there, but I can tell you with certainty it is not because of the missing LDAP email addresses. I had this same question for Splunk support back when we first deployed, and for the most part the email in the user's definition is information only.
This seems to be a somewhat common misunderstanding about how email alerts work.
When you configure an alert, you define as part of the alert action what email addresses to send to when the alert fires. The Splunk users and the definitions of their email addresses are not at all used by the alert mail sending code.
Now, I see many of the comments above about how certain mail addresses are working and others are not. I'm don't immediately see what is wrong there, but I can tell you with certainty it is not because of the missing LDAP email addresses. I had this same question for Splunk support back when we first deployed, and for the most part the email in the user's definition is information only.
The only code I can find that supports these email addresses is for some kind of search-completion/ status change notification which appears to be unfinished. They were never used for sending alerts, which is as dwaddle says is configured per-alert.
This is correct. It turns out the issue we had was with groups lists that were not white-listed.
It sounds like sendmail is not configured correctly. Try sending a mail from the server itself. For linux mail -v -s "subject line" user@address.com < sample.test.file to see if the smtp process sends the email. If it does not send the mail then you need to get the Unix Admin to take a look at the sendmail configuration.
Also do you know if the sendemail command sends the email from the splunk server or from my local machine?
It seems like some relay issue. If it is a relay issue, though, doesn't it mean that no email will make it out of the server?
I tried the sendemail command using:
index=tempmpi | timechart span=30m count | sendemail to="name1@xxx.com" format=html subject=myresults server=mail.xxx.com sendresults=true
and got the error message:
command="sendemail", {'name1.xxx.com': (550, '5.7.1 Unable to relay for name1.xxx.com')} while sending mail to: name1.xxx.com
best bet check with sendmail command to those IDs. If they are reaching well and good. For confirmation you can send it to one of your personal ids if allowed.
I will test again. I don't have access to the smtp server so cannot check the log. I did suspect that something was wrong on our side because it did not make sense that a problem like this would exist on a product like splunk.
Dear friend, there is no access or account related permission which is need to forward a simple email.
Did you configure the smtp gateway on splunk instance or you are only using a custom cofig in alert_action.conf?
Test with sendmail command to the other email ids if they are getting it or not. The email id's if they are not getting check the smpt server log.
_http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Sendemail
name1 is my email address but attached to the local admin account. name2 and 3 are the email addresses of users on an LDAP account. I get an email on name1 but the other 2 users don't get emails.
[Test-Alert]
action.email = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
action.email.to = name1@xxx.com,name2@xxx.com,name3@xxx.com
action.keyindicator.invert = 0
alert.digest_mode = 0
alert.severity = 2
alert.suppress = 0
alert.track = 1
cron_schedule = * * * * *
description = Test Alert
disabled = 1
dispatch.earliest_time = rt
dispatch.latest_time = rt
display.general.type = statistics
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = index=tempmpi | stats count
could you paste on of your savedsearch.conf settings for your alert? The above assumption is not correct, there is something wrong somewhere else..
I added my email to the local admin account and I get email that way. Other users with LDAP account and no email do not receive emails.
It's not correct. Your email gateway which is configured in splunk should send them to anyone you like. It doesn't depend on any user email id. Does anyone get any mail?
I should add that this is for version 6 of Splunk Enterprise. When creating alerts, one of the alert actions is to enable send email. For email addresses, you can enter multiple addresses separated by commas. However, if the email address is not defined in users, email address, the email does not get sent.
Where do u use the email id's? How is the user in LDAP users related to alerts and creating local users?