Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Problem with sending email

CI2az
New Member
‎09-10-2012 09:04 AM

ERROR SMTP AUTH extension

I am trying to change the email extension Splunk uses to authenticate to an exchange server.

For example: Splunk uses something like splunk@server1

I need the domain of the From: address must be in DNS; mail with a From: address like root@192.168.1.1 or root@server1 will not work

I need to have the extension resolve to a domain.com address. Been trying to look through the code to identify where the input of information is located, but am not quiet sure.

We plan on using this in a large environment, but it must work before and send out email alerts before hand using the environment we currently have in place.

Regards,

Tags (1)
0 Karma
Reply

adamw
Communicator
‎09-10-2012 09:37 AM

In $SPLUNK_HOME/etc/system/local/alert_actions.conf, you can configure the from address to be anything you want:

[email]
from = splunk@domain.com

You can also set this value in Manager->System Settings->Email Alert Settings

Thanks,
--adam

0 Karma
Reply

adamw
Communicator
‎09-10-2012 10:51 AM

We don't use SMTP auth in our environment, so I can't speak to the specifics regarding that, but I can say that we use an FQDN (splunk@mydomain.com) here, and it works without issue.

It does look like some have had success configuring the email server stuff in the actual search query itself, but I'm not sure if that helps...

http://splunk-base.splunk.com/answers/38624/how-to-configure-email-alert-using-gmail-smtp

0 Karma
Reply

CI2az
New Member
‎09-10-2012 10:41 AM

Adam,
I do appreciate the thought of placing this information in the Email Alert Settings of the gui, but understand, I HAVE done this, and this is NOT the problem.

Also, to follow along with your first suggestion seems more probable to my problem, and has been attempted. The one thing I am concerned with is the comment contained within the code,

[email]
"from email address (name only, host will be appended automatically from mailserver)"

It specifically states to use the NAME to auth ONLY. Even still I have tried both, but still same problem with how Splunk tries to auth with the server.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-10-2012 09:36 AM

The email server configuration is in
$SPLUNK_HOME/etc/system/local/alert_actions.conf

see http://docs.splunk.com/Documentation/Splunk/4.3.3/Admin/Alertactionsconf

I never tested that, but If the UI complains about the format or the server,
but you can try to add the server in it directly.

Reply

CI2az
New Member
‎09-10-2012 10:38 AM

I located this by reading the code a bit. It does seem to be the right area to modify, but when changes are completed, it still uses the other format. I am still looking around to where ever else its calling this information, but haven't been too successful yet.

Any other thoughts?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...