Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Email alerts only sending some emails

jdhart1312
Loves-to-Learn Everything
‎02-27-2024 05:49 AM

We got the email alert notifications running in Splunk and the configuration the same across all of the alerts but only some of them actually send an email. We have a separate page where we can see all of the alerts but we don't see all of them come across our emails. All of the alerts are configured the same way as seen below: 

jdhart1312_2-1709041542796.png

I'm not understanding why the email notifications only work for certain alerts when we can see all of the alerts on our dashboard and they're all configured the same. 

Tags (1)
0 Karma
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎02-27-2024 08:34 AM

@jdhart1312 

Check for Errors: Search the _internal index for any email-related errors or warnings. Use the following search query:

index=_* AND (SMTP OR sendemail OR email) AND (FAIL* OR ERR* OR TIMEOUT OR CANNOT OR REFUSED OR REJECTED)

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎02-27-2024 08:33 AM

@jdhart1312 It seems like you’re experiencing an issue with email alert notifications in Splunk. 

First, ensure that the user account associated with the alerts has the necessary permissions to send emails. Sometimes, issues arise due to permission restrictions. Verify that the user has the appropriate access.

Test with |sendemail Command: Run an ad-hoc test using the | sendemail command in your search query. This will help verify if emails are being sent correctly. If you receive the expected results via email, it indicates that the email functionality is working, and the issue might be specific to your alerts.

Ensure that the dimensions of any attachments (such as PDFs) do not exceed the email attachment size limit. Large attachments may cause email delivery problems.

Email notification action - Splunk Documentation

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply

jdhart1312
Loves-to-Learn Everything
‎02-27-2024 10:58 AM

I followed all of the steps and I'm not seeing anything in Splunk for these email logs. Doing | sendemail also did nothing. Some alerts work perfectly fine but others don't. Configuration is identical too. 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...