Reporting

Splunk sendemail no longer works without search results as of newer Splunk versions (such as 7.3.3)

SplunkTrust
SplunkTrust

An old trick used by some searches was to run:
| map search="| sendemail to=

This example is explained in the (old) answer How can I use a combination of map and sendemail to include spaces in the field values?

As of more recent Splunk versions this trick no longer works, this Q&A exists only to help others find this issue in there environments as I recently found it in production...(when the emails stopped sending).

I can confirm this trick does not work in 7.3.3, I believe it worked in 7.2.6 and possibly 7.3.0 but either way there are better solutions (see the answer below)

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Effectively new Splunk versions no longer allow:

| sendemail ...

There must be more than zero results so one workaround is:

| makeresults | sendemail ...

However what I find is a nicer solution is sendresults on SplunkBase

To detect the usage of searches using the | map sendemail trick you may wish to use a REST endpoint and a regex such as:

| rest splunk_server=local "/servicesNS/-/-/saved/searches" count=0 f=search f=eai:* f=app
| regex search="(?s)\|\s*map\s+.*?((search\s*=\s*\"\s*\|?\s*sendemail)|(\[\s*\|?\s*sendemail))"
| table author, eai:acl.app, eai:acl.sharing, title, splunk_server, updated

If you found this useful please up-vote. If anyone knows the specific versions I can update the post with when this stopped working, support have advised this change was done on purpose and therefore it is not a bug.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Effectively new Splunk versions no longer allow:

| sendemail ...

There must be more than zero results so one workaround is:

| makeresults | sendemail ...

However what I find is a nicer solution is sendresults on SplunkBase

To detect the usage of searches using the | map sendemail trick you may wish to use a REST endpoint and a regex such as:

| rest splunk_server=local "/servicesNS/-/-/saved/searches" count=0 f=search f=eai:* f=app
| regex search="(?s)\|\s*map\s+.*?((search\s*=\s*\"\s*\|?\s*sendemail)|(\[\s*\|?\s*sendemail))"
| table author, eai:acl.app, eai:acl.sharing, title, splunk_server, updated

If you found this useful please up-vote. If anyone knows the specific versions I can update the post with when this stopped working, support have advised this change was done on purpose and therefore it is not a bug.

View solution in original post

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!