Solved: Sendemail unexplained error: "command="sendemail",...

xZinou · ‎02-03-2020

Hello,

I've been trying to send emails automatically to receipients from search results, below my code :

...
| eval email_footer=" "
| eval email_subject="Alert something"
| eval email_message="Dear colleague,

We received an IT alert regarding something.

Should you have any question, please contact us.

Best regards.

"

| map search="sendemail server="smtp.company.com" from="noreply@company.com" to="$BusinessEmail$" footer="$email_footer$" subject="$email_subject$" message="$email_message$""

I'm facing a number of anomalies with this :

My search works randomly (last time I tried I was getting 2 successful attempts out of 5).
Hardcoding the "to" for testing does make the sendemail work but this shows an empty email (at least $email_message$ not taken into consideration if not $email_footer$ too).
When the search fails, the error I get is: command="sendemail", {} while sending mail to: with no receipient address nor details on why it failed. I have also tried other variables for recipient but with no success.
Using sendemail directly without map has same effects.

Any help or leads to troobleshoot this would be appreciated, I'm having difficulties finding answers on the search.log file.

Best regards.

xZinou · ‎02-04-2020

Hello,

Apparently, there was no way to find more information about this because sendemail command uses an external Python script that was returning: command="sendemail", {} while sending mail to:.

Since the error wasn't mentioning the recipient address, I figured out that the value in the BusinessEmail field has "formatting issues". I tried another fields and also rebuilding this one through different evals but nothing helped.

Finally, using table fixed the issue, I made every $<field>$ used in sendemail into a table before calling sendemail :

| table BusinessEmail, email_footer, email_subject, email_message
| map search="sendemail server="smtp.company.com" from="noreply@company.com" to="$BusinessEmail$" footer="$email_footer$" subject="$email_subject$" message="$email_message$""

The problem I was having is now reproducible, each time I remove table it reappeares, I'm not sure how many people is facing this and I wonder maybe this should be mentioned in the Sendemail command documentation.

Best regards.

View solution in original post

xZinou · ‎02-04-2020

Hello,

Apparently, there was no way to find more information about this because sendemail command uses an external Python script that was returning: command="sendemail", {} while sending mail to:.

Since the error wasn't mentioning the recipient address, I figured out that the value in the BusinessEmail field has "formatting issues". I tried another fields and also rebuilding this one through different evals but nothing helped.

Finally, using table fixed the issue, I made every $<field>$ used in sendemail into a table before calling sendemail :

| table BusinessEmail, email_footer, email_subject, email_message
| map search="sendemail server="smtp.company.com" from="noreply@company.com" to="$BusinessEmail$" footer="$email_footer$" subject="$email_subject$" message="$email_message$""

The problem I was having is now reproducible, each time I remove table it reappeares, I'm not sure how many people is facing this and I wonder maybe this should be mentioned in the Sendemail command documentation.

Best regards.

begleyj1 · ‎02-03-2020

What is your search using the sendemail command? I find a bit more luck with that that attempting to map.

xZinou · ‎02-04-2020

Hello,
Thank for your comment.
I search in email logs people that received an email from certain domains. since the search returns multiple rows, I should loop on the results to send an email to each of the receipient.
I am not aware of other means to achieve this without the use of map.

richgalloway · ‎02-03-2020

Have you searched for "sendemail" in splunkd.log?

---
If this reply helps you, Karma would be appreciated.

xZinou · ‎02-03-2020

There is no mention of sendemail in splunkd.log cat splunkd.log | grep sendemail.

I believe you wanted to say search.log, I opened the file on my browser, I have +300 mention of sendemail and +1400 mention of error, the file is huge (production environment) and navigating it though the browser is not possible, can you please tell me where is this file located in Splunk folder?

Thank you.

richgalloway · ‎02-03-2020

If you don't find "sendemail" in splunkd.log try searching index=_internal.
Search logs are in the dispatch directories for the respective searches. Start in $SPLUNK_HOME/var/run/dispatch then look for the search ID of the problem search(es).

---
If this reply helps you, Karma would be appreciated.

xZinou · ‎02-03-2020

Thank you, below what I have found:

02-03-2020 15:08:29.386 INFO  script - Invoked script sendemail with 544 input bytes (0 events).  Returned 35 output bytes in 9786 ms.
02-03-2020 15:08:29.386 DEBUG SearchResultsCSVSerializer - Head from csv file read: inds.size() = 1
02-03-2020 15:08:29.386 DEBUG script - elapsed output: 1
02-03-2020 15:08:29.386 ERROR script - sid:subsearch_1580738823.39971_1580738899.4 command="sendemail", {} while sending mail to:
02-03-2020 15:08:29.386 DEBUG SearchProcessor - execute_dispatch - Post-execute - processor="sendemail" type="SP_REPORT" results_estimate_heap_usage=0 results_size=0
02-03-2020 15:08:29.386 DEBUG SearchResultsFiles - fmt=srs
02-03-2020 15:08:29.386 DEBUG SearchResultsFiles - alg=gzip

This is the same error displayed in Splunk web, I see no extra information here.

Any ideas?

Sendemail unexplained error: "command="sendemail", {} while sending mail to:"

other

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake