Reporting

Sendemail unexplained error: "command="sendemail", {} while sending mail to:"

xZinou
Explorer

Hello,

I've been trying to send emails automatically to receipients from search results, below my code :

...
| eval email_footer=" "
| eval email_subject="Alert something"
| eval email_message="Dear colleague,

We received an IT alert regarding something.

Should you have any question, please contact us.

Best regards.

"

| map search="sendemail server="smtp.company.com" from="noreply@company.com" to="$BusinessEmail$" footer="$email_footer$" subject="$email_subject$" message="$email_message$""

I'm facing a number of anomalies with this :

  • My search works randomly (last time I tried I was getting 2 successful attempts out of 5).
  • Hardcoding the "to" for testing does make the sendemail work but this shows an empty email (at least $email_message$ not taken into consideration if not $email_footer$ too).
  • When the search fails, the error I get is: command="sendemail", {} while sending mail to: with no receipient address nor details on why it failed. I have also tried other variables for recipient but with no success.
  • Using sendemail directly without map has same effects.

Any help or leads to troobleshoot this would be appreciated, I'm having difficulties finding answers on the search.log file.

Best regards.

Labels (1)
0 Karma
1 Solution

xZinou
Explorer

Hello,

Apparently, there was no way to find more information about this because sendemail command uses an external Python script that was returning: command="sendemail", {} while sending mail to:.

Since the error wasn't mentioning the recipient address, I figured out that the value in the BusinessEmail field has "formatting issues". I tried another fields and also rebuilding this one through different evals but nothing helped.

Finally, using table fixed the issue, I made every $<field>$ used in sendemail into a table before calling sendemail :

| table BusinessEmail, email_footer, email_subject, email_message
| map search="sendemail server="smtp.company.com" from="noreply@company.com" to="$BusinessEmail$" footer="$email_footer$" subject="$email_subject$" message="$email_message$""

The problem I was having is now reproducible, each time I remove table it reappeares, I'm not sure how many people is facing this and I wonder maybe this should be mentioned in the Sendemail command documentation.

Best regards.

View solution in original post

0 Karma

xZinou
Explorer

Hello,

Apparently, there was no way to find more information about this because sendemail command uses an external Python script that was returning: command="sendemail", {} while sending mail to:.

Since the error wasn't mentioning the recipient address, I figured out that the value in the BusinessEmail field has "formatting issues". I tried another fields and also rebuilding this one through different evals but nothing helped.

Finally, using table fixed the issue, I made every $<field>$ used in sendemail into a table before calling sendemail :

| table BusinessEmail, email_footer, email_subject, email_message
| map search="sendemail server="smtp.company.com" from="noreply@company.com" to="$BusinessEmail$" footer="$email_footer$" subject="$email_subject$" message="$email_message$""

The problem I was having is now reproducible, each time I remove table it reappeares, I'm not sure how many people is facing this and I wonder maybe this should be mentioned in the Sendemail command documentation.

Best regards.

0 Karma

begleyj1
Path Finder

What is your search using the sendemail command? I find a bit more luck with that that attempting to map.

0 Karma

xZinou
Explorer

Hello,
Thank for your comment.
I search in email logs people that received an email from certain domains. since the search returns multiple rows, I should loop on the results to send an email to each of the receipient.
I am not aware of other means to achieve this without the use of map.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you searched for "sendemail" in splunkd.log?

---
If this reply helps you, Karma would be appreciated.

xZinou
Explorer

There is no mention of sendemail in splunkd.log cat splunkd.log | grep sendemail.

I believe you wanted to say search.log, I opened the file on my browser, I have +300 mention of sendemail and +1400 mention of error, the file is huge (production environment) and navigating it though the browser is not possible, can you please tell me where is this file located in Splunk folder?

Thank you.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you don't find "sendemail" in splunkd.log try searching index=_internal.
Search logs are in the dispatch directories for the respective searches. Start in $SPLUNK_HOME/var/run/dispatch then look for the search ID of the problem search(es).

---
If this reply helps you, Karma would be appreciated.

xZinou
Explorer

Thank you, below what I have found:

02-03-2020 15:08:29.386 INFO  script - Invoked script sendemail with 544 input bytes (0 events).  Returned 35 output bytes in 9786 ms.
02-03-2020 15:08:29.386 DEBUG SearchResultsCSVSerializer - Head from csv file read: inds.size() = 1
02-03-2020 15:08:29.386 DEBUG script - elapsed output: 1
02-03-2020 15:08:29.386 ERROR script - sid:subsearch_1580738823.39971_1580738899.4 command="sendemail", {} while sending mail to:
02-03-2020 15:08:29.386 DEBUG SearchProcessor - execute_dispatch - Post-execute - processor="sendemail" type="SP_REPORT" results_estimate_heap_usage=0 results_size=0
02-03-2020 15:08:29.386 DEBUG SearchResultsFiles - fmt=srs
02-03-2020 15:08:29.386 DEBUG SearchResultsFiles - alg=gzip

This is the same error displayed in Splunk web, I see no extra information here.

Any ideas?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...