Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Email alerts only sending some emails

jdhart1312
Loves-to-Learn Everything
‎02-27-2024 05:49 AM

We got the email alert notifications running in Splunk and the configuration the same across all of the alerts but only some of them actually send an email. We have a separate page where we can see all of the alerts but we don't see all of them come across our emails. All of the alerts are configured the same way as seen below: 

jdhart1312_2-1709041542796.png

I'm not understanding why the email notifications only work for certain alerts when we can see all of the alerts on our dashboard and they're all configured the same. 

Tags (1)
0 Karma
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎02-27-2024 08:34 AM

@jdhart1312 

Check for Errors: Search the _internal index for any email-related errors or warnings. Use the following search query:

index=_* AND (SMTP OR sendemail OR email) AND (FAIL* OR ERR* OR TIMEOUT OR CANNOT OR REFUSED OR REJECTED)

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎02-27-2024 08:33 AM

@jdhart1312 It seems like you’re experiencing an issue with email alert notifications in Splunk. 

First, ensure that the user account associated with the alerts has the necessary permissions to send emails. Sometimes, issues arise due to permission restrictions. Verify that the user has the appropriate access.

Test with |sendemail Command: Run an ad-hoc test using the | sendemail command in your search query. This will help verify if emails are being sent correctly. If you receive the expected results via email, it indicates that the email functionality is working, and the issue might be specific to your alerts.

Ensure that the dimensions of any attachments (such as PDFs) do not exceed the email attachment size limit. Large attachments may cause email delivery problems.

Email notification action - Splunk Documentation

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply

jdhart1312
Loves-to-Learn Everything
‎02-27-2024 10:58 AM

I followed all of the steps and I'm not seeing anything in Splunk for these email logs. Doing | sendemail also did nothing. Some alerts work perfectly fine but others don't. Configuration is identical too. 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...