Reporting

sendemail returned error code 1

pde7
Explorer

Whenever I attempt to pipe results to the sendemail function, I get the following error:

External search command 'sendemail' returned error code 1.

Here's an example of the command I use:

error OR failure OR severe | sendemail to=myemail sendresults=true server=mysmtpgateway from=myemail format=text

I can confirm via direct telnet that my smtpgateway server is responding and accepting emails. Ideas? What does error code 1 mean in this context? Is this a python problem? Where can I look for more log details? (I've set "EmailSender" log level to DEBUG but I'm not sure how to find the output.)

Tags (2)
0 Karma
1 Solution

Justin
Path Finder

We were having the same problem with sendemail not working after upgrading to 4.3 and stayed broken in 4.3.1. After much troubleshooting, I discovered that the issue was with one of the new features in 4.3 which allowed each user in Splunk to set what timezone they are in. After the upgrade, I had changed my timezone to try the new feature, and didn't realize that it immediately broke sendemail. So, I changed my timezone back to default under Manager->Your Account, and sendemail worked again.

This bug has been reported to Splunk support and will hopefully get fixed in a future release.

View solution in original post

yannK
Splunk Employee
Splunk Employee

Hi you may have encountered this new bug
SPL-48993 "Windows 2008 - sendemail fails if user is not using default server timezone "

The user running the search is using a different timezone than the server, see manager > your account

It produces this error in splunkd.log


03-05-2012 16:07:45.240 -0500 ERROR ScriptRunner - stderr from 'D:\Program Files\Splunk\etc\apps\search\bin\sendemail.py': ImportError: DLL load failed: %1 is not a valid Win32 application.
03-05-2012 16:07:45.490 -0500 ERROR script - External search command 'sendemail' returned error code 1.

The fix is not yet available,
the temporary workarounds are to :

  • change the timezone for the user running those searches to "default system timezone"
  • or schedule the email alerts from another splunk search-head, on another OS (not Windows 2008) or another version (not 4.3.* )
0 Karma

farleymike
Explorer

Thanks for the update to this issue. We ended up moving Splunk from Windows to Ubuntu for other reasons, but it's nice to know the cause and a temporary workaround.

0 Karma

Justin
Path Finder

We were having the same problem with sendemail not working after upgrading to 4.3 and stayed broken in 4.3.1. After much troubleshooting, I discovered that the issue was with one of the new features in 4.3 which allowed each user in Splunk to set what timezone they are in. After the upgrade, I had changed my timezone to try the new feature, and didn't realize that it immediately broke sendemail. So, I changed my timezone back to default under Manager->Your Account, and sendemail worked again.

This bug has been reported to Splunk support and will hopefully get fixed in a future release.

pde7
Explorer

I tried calling the sendemail.py directly and I'm getting library import errors:

D:\Splunk\etc\apps\search\bin>python sendemail.py
Traceback (most recent call last):
File "sendemail.py", line 2, in
import re,sys,time,logging,splunk.Intersplunk, splunk.mining.dcutils as dcu
.
.
.
File "D:\Splunk\Python-2.7\lib\site-packages\splunk\clilib\cli_common.py", line 6, in
import lxml.etree as etree
ImportError: DLL load failed: %1 is not a valid Win32 application.

0 Karma

farleymike
Explorer

We are having the same problem.

Splunk 4.3, Windows 2008 R2 fully patched. Splunk is running as a domain user with local admin privileges (even added all the security privileges required). Splunk's installed on the 😧 drive.

When I pipe results to 'sendemail' with all the appropriate settings I receive:

"External search command 'sendemail' returned error code 1."

We've rebuilt the OS, and even installed Splunk on a Windows 7 VM and the 'sendemail' command works just fine.

The 'splunkd.log' contains the following:

02-16-2012 10:40:26.759 -0800 ERROR
ScriptRunner - stderr from
'D:\Splunk\etc\apps\search\bin\sendemail.py':
ImportError: No module named site
02-16-2012 10:40:26.759 -0800 ERROR
ScriptRunner - extern write error:
errno=The pipe is being closed.
02-16-2012 10:40:26.790 -0800 ERROR
script - External search command
'sendemail' returned error code 1.

I added a 'PYTHONPATH' env. variable and pointed it to D:\Splunk\Python-2.7\lib, which caused the logged errors to change. Definitely something strange going on with the Python environment.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...