Reporting

EMail and LDAP

Path Finder

We authenticate to AD through LDAP and have run into the known issue about Splunk not being able to pull email addresses. Has anyone found a work around (other than creating hundreds of local users) to allow Splunk to send alerts to email?

1 Solution

SplunkTrust
SplunkTrust

This seems to be a somewhat common misunderstanding about how email alerts work.

When you configure an alert, you define as part of the alert action what email addresses to send to when the alert fires. The Splunk users and the definitions of their email addresses are not at all used by the alert mail sending code.

Now, I see many of the comments above about how certain mail addresses are working and others are not. I'm don't immediately see what is wrong there, but I can tell you with certainty it is not because of the missing LDAP email addresses. I had this same question for Splunk support back when we first deployed, and for the most part the email in the user's definition is information only.

View solution in original post

SplunkTrust
SplunkTrust

This seems to be a somewhat common misunderstanding about how email alerts work.

When you configure an alert, you define as part of the alert action what email addresses to send to when the alert fires. The Splunk users and the definitions of their email addresses are not at all used by the alert mail sending code.

Now, I see many of the comments above about how certain mail addresses are working and others are not. I'm don't immediately see what is wrong there, but I can tell you with certainty it is not because of the missing LDAP email addresses. I had this same question for Splunk support back when we first deployed, and for the most part the email in the user's definition is information only.

View solution in original post

Splunk Employee
Splunk Employee

The only code I can find that supports these email addresses is for some kind of search-completion/ status change notification which appears to be unfinished. They were never used for sending alerts, which is as dwaddle says is configured per-alert.

0 Karma

Path Finder

This is correct. It turns out the issue we had was with groups lists that were not white-listed.

0 Karma

Explorer

It sounds like sendmail is not configured correctly. Try sending a mail from the server itself. For linux mail -v -s "subject line" user@address.com < sample.test.file to see if the smtp process sends the email. If it does not send the mail then you need to get the Unix Admin to take a look at the sendmail configuration.

0 Karma

Path Finder

Also do you know if the sendemail command sends the email from the splunk server or from my local machine?

0 Karma

Path Finder

It seems like some relay issue. If it is a relay issue, though, doesn't it mean that no email will make it out of the server?

0 Karma

Path Finder

I tried the sendemail command using:

index=tempmpi | timechart span=30m count | sendemail to="name1@xxx.com" format=html subject=myresults server=mail.xxx.com sendresults=true

and got the error message:

command="sendemail", {'name1.xxx.com': (550, '5.7.1 Unable to relay for name1.xxx.com')} while sending mail to: name1.xxx.com

0 Karma

Champion

best bet check with sendmail command to those IDs. If they are reaching well and good. For confirmation you can send it to one of your personal ids if allowed.

0 Karma

Path Finder

I will test again. I don't have access to the smtp server so cannot check the log. I did suspect that something was wrong on our side because it did not make sense that a problem like this would exist on a product like splunk.

Champion

Dear friend, there is no access or account related permission which is need to forward a simple email.

Did you configure the smtp gateway on splunk instance or you are only using a custom cofig in alert_action.conf?

Test with sendmail command to the other email ids if they are getting it or not. The email id's if they are not getting check the smpt server log.

_http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Sendemail

Path Finder

name1 is my email address but attached to the local admin account. name2 and 3 are the email addresses of users on an LDAP account. I get an email on name1 but the other 2 users don't get emails.

0 Karma

Path Finder

[Test-Alert]
action.email = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
action.email.to = name1@xxx.com,name2@xxx.com,name3@xxx.com
action.keyindicator.invert = 0
alert.digestmode = 0
alert.severity = 2
alert.suppress = 0
alert.track = 1
cron
schedule = * * * * *
description = Test Alert
disabled = 1
dispatch.earliesttime = rt
dispatch.latest
time = rt
display.general.type = statistics
enableSched = 1
quantity = 0
relation = greater than
request.uidispatchapp = search
request.uidispatchview = search
search = index=tempmpi | stats count

0 Karma

Champion

could you paste on of your savedsearch.conf settings for your alert? The above assumption is not correct, there is something wrong somewhere else..

Path Finder

I added my email to the local admin account and I get email that way. Other users with LDAP account and no email do not receive emails.

0 Karma

Champion

It's not correct. Your email gateway which is configured in splunk should send them to anyone you like. It doesn't depend on any user email id. Does anyone get any mail?

Path Finder

I should add that this is for version 6 of Splunk Enterprise. When creating alerts, one of the alert actions is to enable send email. For email addresses, you can enter multiple addresses separated by commas. However, if the email address is not defined in users, email address, the email does not get sent.

Champion

Where do u use the email id's? How is the user in LDAP users related to alerts and creating local users?