Since some version (now using 8.1.2) I have trouble to use the 'sendemail' command in a search (dashboard/form) for user that have the standard user-roles. This issue is troubling me for almost 1.5 year now. Of course I am aware of the need to select 'list_settings' but had never a results. When selecting 'admin_all_objects' in the standard user-role is succesful.
But using the 'admin_all_objects' for standard user is nothing but a security breach. That can not be the solution , so what do I miss here?
An why does Splunk not create a special and straightforward capability for this 'sendemail' command?
update from support:
I hope you are doing well. I was reviewing the know issues list and I found the issue number SPL-138647, See the link below for more information. https://docs.splunk.com/Documentation/Splunk/8.1.2/ReleaseNotes/KnownIssues
Let me know if it worked for you.
What I did :
On our none-production instance/machine (rather a fresh installation), I did:
Auth_password = xx
mailserver = smtp.office365.com:587
sslVersions = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH
Unfortunately no success
Unfortunately Splunk support does not respond ! They advised me earlier to select 'admin_all_objects' to use the command anyway. Because I really need the sendemail for some customer. Since v8.0 the other alternative was the option 'sendresults' but that was also not wokring anymore. Hoped this would solved in next version, but after 8.1.2 I am till struggling with this issue and have my 'door wide open' since because of this.
it is a known issue that affect some versions and should be fixed as of now
8.1.2 should have the fix I think.
If not the case, please open a support case and have the support investigate with you.
last update Wednesday from Splunk support:
"... just want to give you an update about the case, we are still working to find a solution, I engaged additional support to assist us with the issue, as soon as we have more information we will let you know. Please feel free to contact us if you have any questions."
Keep you posted...
update from splunk support:
I hope you are doing well. I was reviewing the know issues list and I found the issue number SPL-138647, See the link below for more information.
Let me know if it worked for you.
unfortunately no success yet
Just installed a complete fresh Splunk instance v8.1.2 from scratch on w2019 - no adjustments made. Only configured the smtp server setting. Tested it with admin account: sendemail works (but this has 'admin_all_objects' as a default capability.
created a test account with standard user-role. (defaults without the 'admin_all_objects' capability). Sendemail does not werk without any visible error, although the search itself results in a timestamp
search in serach&reporting used:
| sendemail to="firstname.lastname@example.org", from="email@example.com"" ,
subject="test-message", sendresults=false inline=true format=raw content_type=html
results in python.log:
Traceback (most recent call last):
File ""D:\Program Files\Splunk\etc\apps\search\bin\sendemail.py"", line 1593, in <module>
results = sendEmail(results, settings, keywords, argvals)
File ""D:\Program Files\Splunk\etc\apps\search\bin\sendemail.py"", line 376, in sendEmail
if ssContent['action.email.sendresults'] or ssContent['action.email.sendpdf'] or ssContent['action.email.sendcsv']: