Reporting

sendemail.py on splunk 9.21 and redhat9 not creating from field correctly

alfredoh14
Explorer

hello,
We upgraded our red hat 7 to 9 this past monday.
and splunk stopped sending emails.
We were inexperience and unprepare for this so we upgraded our splunk enterprise from 9.1 to 9.13 to see if this would fix it.
It did not.
then we upgraded to 9.2, that did not fix it.
I started adding debug mode to everything and found that splunk would send the emails to postfix and the postfix logs would state the emails were send.
however, after looking at it closer, I notice the from field of the splunk sendemail generated emails had the from field like:
splunk@prod
not splunk@prod.mydomain.com
(as they used to before we upgraded to redhat 9

When we use mailx, the fron field from field is constructed correctly such as:
splunk@prod.domain.com

extra python debugging does not show the from field but only the user and the domain:
from': 'splunk', 'hostname': 'prod.mydomain.com',

My stanza in /opt/splunk/etc/system/local/alert_action.conf:
[email]
hostname = prod.mydomain.com

Does anyone know how to fix this?
Is there a setting in splunk that would make sure the email from field is constructed correctly.
It is funny that if you add an incorrect "to" address splunk whines but if splunk create a incorrect to field address in sendemail, it is fine and, just send it to postfix and let it handle it, lol dandy 🙂

 

Labels (1)
0 Karma

marnall
Builder

From your description, it seems like the upgrade of RH from 7 to 9 has disrupted Splunk's assumptions about the full DNS name. 

You could try being more specific in the configuration files until Splunk starts sending emails properly. E.g. you could set the from= field in alert_action.conf to be a full email address so that Splunk does not have to figure out the hostname to tack on with the ampersand.
NOTE:  alert_actions.conf is plural (alert_actions, not alert_action) 

#/opt/splunk/etc/system/local/alert_actions.conf
[email]
from = yoursplunkemail@yourdomain.com

You could also try a direct sendemail command:

| sendemail from="youremail@place.com" to="targetemail@place.com" subject="Test Email"

If you have different emails per alert, you could edit the alert in the Advanced Settings to explicitly set the from= field to a full email address.

Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...