Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are mailserver settings in alert_actions.conf not being followed?

jcrabb_splunk
Splunk Employee
Splunk Employee
‎06-14-2017 01:56 PM

I have configured alert_actions.conf in $SPLUNK_HOME/etc/system/local/ but some alerts are still using “localhost” and not being received. I have configured that there are no other alert_actions.conf besides the default ones and btool output confirms that the settings are being applied correctly. 

/opt/splunk/etc/system/local/alert_actions.conf                [email]
/opt/splunk/etc/system/local/alert_actions.conf                mailserver = testmailhost.com

Looking in python.log I show both the new mail server and localhost being applied.

Working

2017-06-14 15:45:02,017 -0400 INFO  sendemail:124 - Sending email.subject="Splunk Alert: Test_Alert_01", results_link="http://hostname:8000/app/search/@go?sid=scheduler__admin__search__<SID>", recipients=“[u’user@mydomain.com']", server="testmailhost.com"

Not Working

2017-06-14 15:45:02,017 -0400 INFO  sendemail:124 - Sending email. subject="Splunk Alert: Test_Alert_02", results_link="http://hostname:8000/app/search/@go?sid=scheduler__admin__search__<SID>", recipients=“[u’user@mydomain.com']", server=“localhost”

What could be causing this behavior?

Jacob
Sr. Technical Support Engineer
Reply
1 Solution
Solved! Jump to solution
Solution

jcrabb_splunk
Splunk Employee
Splunk Employee
‎06-14-2017 01:56 PM

Mailhost settings can be applied in both alert_actions.conf and savedsearches.conf. If you have applied alert_actions.conf globally (this configuration can be applied at an app or user level) but some alerts are going to a different mail host than specific there, it could be configured under savedsearches.conf. If you review the spec file, you will find it also has a mail server setting:

http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Savedsearchesconf

[savedsearch-name]
action.email.mailserver = <string>
* Set the address of the MTA server to be used to send the emails.
* Defaults to <LOCALHOST> (or whatever is set in alert_actions.conf).

As demonstrated above, this can be applied to a search and will take precedent over the setting in alert_actions.conf. Confirm that the affected alerts do not contain this potential configuration.

Jacob
Sr. Technical Support Engineer

View solution in original post

Reply
Solved! Jump to solution
Solution

jcrabb_splunk
Splunk Employee
Splunk Employee
‎06-14-2017 01:56 PM

Mailhost settings can be applied in both alert_actions.conf and savedsearches.conf. If you have applied alert_actions.conf globally (this configuration can be applied at an app or user level) but some alerts are going to a different mail host than specific there, it could be configured under savedsearches.conf. If you review the spec file, you will find it also has a mail server setting:

http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Savedsearchesconf

[savedsearch-name]
action.email.mailserver = <string>
* Set the address of the MTA server to be used to send the emails.
* Defaults to <LOCALHOST> (or whatever is set in alert_actions.conf).

As demonstrated above, this can be applied to a search and will take precedent over the setting in alert_actions.conf. Confirm that the affected alerts do not contain this potential configuration.

Jacob
Sr. Technical Support Engineer
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎06-14-2018 07:15 AM

Hi,

I have a similar issue.

I am declaring action.email.subject = REMINDER: Cur in my savedsearches.conf in one of my apps. But when the email is getting triggered the subject isnt getting changed. Its still taking from the default alert_actions.conf file i.e. SplunkAlert-.

Why my subject is not getting changed ?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...