Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to troubleshoot why emails are not getting sent for some reports on the search head?

lukasz92
Communicator
‎12-13-2016 06:19 AM

Hi,

I have a problem on the search head - on some reports, emails are not sent

In _internal I see events:

SavedSplunker - alert_actions="email", sid="...", suppressed=0, thread_id="AlertNotifierWorker-0"

However, I do not see events:

sendemail:112 - Sending email. subject="Splunk Report: (...(", results_link="https://splunk-pci.(...)/app/search/@go?sid=(...)", recipients="[u'(...)']", server="smtp01-pci"

How to diagnose this problem?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-13-2016 07:14 AM

Hi lukasz92,
have you search results are in your eMail body or in attach?
verify the dimensions of your eMail and (eventually) your attachment because sometimes the problem is that eMail body or email attachment exceed the limits of your eMail server.
You can verify this triggering an alert without inserting results in the eMail body and without attaching them to the eMail.
In addition you can see Splunk logs in $SPLUNK_HOME/var/log/splunk/splunkd.log.
Bye.
Giuseppe

0 Karma
Reply

rjthibod
Champion
‎12-13-2016 06:39 AM

Look in splunkd.log in /var/log for more information and use the sendmail SPL command to test out configuration changes.

0 Karma
Reply

lukasz92
Communicator
‎12-13-2016 07:09 AM

What do you mean?

sendmail works correctly, some reports send mail.
What should I search more?

0 Karma
Reply

harsmarvania57
Ultra Champion
‎12-13-2016 07:40 AM

How many Email servers do you have in your DNS entry, you can check via nslookup command with your sendmail server name.

I faced same issue when there was problem with one of the email server. I have 4 email servers IP when I check using nslookup <email server name> and on DNS, round-robin method defined to handle traffic on all 4 email servers so when request goes to faulty email server, I didn't get email but when next email will be fired by splunk it goes to next email server which is working fine so I received email.

Thanks,
Harshil

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...