Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Sendemail action not working

elllie
New Member
‎03-15-2018 04:26 AM

Hello,

I have scheduled a search to run every 15 mins and added the following actions when the search returns results:
- Add to triggered alerts;
- Send email.

When the scheduled search returns results, it gets added to the Triggered Alerts but the sendemail action does not work.
When looking at the python.log it shows the following:
2018-03-15 11:51:06,163 +0100 INFO sendemail:134 - Sending email. subject="Splunk Alert: Multiple Failed logon attempts alert", results_link=splunk_scheduled_search", recipients="[u'user@mail.com']", server="smtp.mail.com"

It appears that when I include the sendemail command in the query, it works fine, but not through the scheduled alerts.

Any ideas why?

0 Karma
Reply

p_gurav
Champion
‎03-15-2018 05:36 AM

Hi,

Can you try increasing value for below parameter in alert_actions.conf:

ttl     = <integer>[p]
* Optional argument specifying the minimum time to live (in seconds)
  of the search artifacts, if this action is triggered.
* If p follows integer, then integer is the number of scheduled periods.
* If no actions are triggered, the artifacts will have their ttl determined
  by the "dispatch.ttl" attribute in savedsearches.conf.
* Defaults to 10p
* Defaults to 86400 (24 hours)   for: email, rss
* Defaults to   600 (10 minutes) for: script
* Defaults to   120 (2 minutes)  for: summary_index, populate_lookup

maxtime = <integer>[m|s|h|d]
* The maximum amount of time that the execution of an action is allowed to
  take before the action is aborted.
* Use the d, h, m and s suffixes to define the period of time:
  d = day, h = hour, m = minute and s = second.
  For example: 5d means 5 days.
* Defaults to 5m for everything except rss.
* Defaults to 1m for rss.
0 Karma
Reply

p_gurav
Champion
‎03-15-2018 05:06 AM

Any other error in _internal logs?

0 Karma
Reply

elllie
New Member
‎03-15-2018 05:20 AM

From scheduler.log:
03-15-2018 10:53:02.185 +0000 INFO SavedSplunker - savedsearch_id="nobody;search;Multiple Failed logon attempts alert", search_type="scheduled", user="admin", app="search", savedsearch_name="Multiple Failed logon attempts alert", priority=default, status=success, digest_mode=1, scheduled_time=1521110880, window_time=0, dispatch_time=1521110880, run_time=0.203, result_count=2, alert_actions="email", sid="scheduler_adminsearch_RMD5cf1e87219f408a1a_at_1521110880_14", suppressed=0, thread_id="AlertNotifierWorker-1"

splunkd.log:
03-15-2018 10:53:01.642 +0000 WARN ScriptRunner - Killing script, probably timed out, grace=5sec, script="C:\Program Files\Splunk\bin\PYTHON.EXE C:\Program Files\Splunk\etc\apps\search\bin\sendemail.py "results_link=http://SOUTH-SEC-01:8000/app/search/@go?sid=scheduler__admin__search__RMD5cf1e87219f408a1a_at_152111..." "ssname=Multiple Failed logon attempts alert" "graceful=True" "trigger_time=1521110881" results_file="C:\Program Files\Splunk\var\run\splunk\dispatch\scheduler_adminsearch_RMD5cf1e87219f408a1a_at_1521110880_14\results.csv.gz""

03-15-2018 10:53:02.185 +0000 ERROR script - sid:scheduler_adminsearch_RMD5cf1e87219f408a1a_at_1521110880_14 Script execution failed for external search command 'sendemail'

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...