Reporting

sendemail via SMTP relay server

frank_buettner
Explorer

Hi,

I'm trying to send emails via a SMTP relay server (alias "smart host" or "smarthost" [2]). No authentication is needed and no encryption is supported. I added the following [sendemail] command to my /opt/splunk/etc/apps/search/local/commands.conf:

[sendemail]
filename = sendemail.py
streaming = false
run_in_preview = false
passauth = false
required_fields =
changes_colorder = false
supports_rawargs = true
undo_scheduler_escaping = true
is_risky = true
supports_multivalues = true
use_ssl = false
use_tls = false
from = <email address>
server = <relay server host name>:<port>

When I try the search as Splunk administrator from within the search app context * | head 1 | sendemail to="<my email>" sendresults=true, then in the /opt/splunk/var/log/splunk/python.log occurs the error ERROR sendemail:1341 - 'namespace'. The result gets shown in the Browser (one event).

Another application (not splunk) successfully sends emails via this relay server (from another host).

I don't find other configuration parameters in the documentation[1], that may help. Any suggestions what I have missed?

Thanks
Frank

[1] https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Sendemail
[2] https://en.wikipedia.org/wiki/Smart_host

0 Karma
1 Solution

frank_buettner
Explorer

We are now using a Microsoft Teams connector for pushing the notifications. So this is our "solution", although we did not manage to send emails via the relay server by using a python script.

View solution in original post

0 Karma

frank_buettner
Explorer

We are now using a Microsoft Teams connector for pushing the notifications. So this is our "solution", although we did not manage to send emails via the relay server by using a python script.

0 Karma

DavidHourani
Super Champion

Could be a permission issue.. Are you running the sendemail command within the search app context ?
Also use the sendresults=true option: ... | sendemail to="elvis@splunk.com" sendresults=true

0 Karma

frank_buettner
Explorer

@DavidHourani Do you have more suggestions? Is it possible at all to send mails via a SMTP relay server[1]? "Smart Host" would be a synonym for "relay server".

[1]
https://en.wikipedia.org/wiki/Smart_host

0 Karma

DavidHourani
Super Champion

imo it should work just like an SMTP server... all it does is forward the emails.. did you try connecting directly to your SMTP server, at least that way you can ensure that your configs are right. If that's validated then there could be an extra configuration to add for this "sendemail" to work.

You can also play around with the sendemail.py script (make sure to keep a backup first). If you're then able to send an email from the CLI with the script then Splunk should be able to do so as well..

0 Karma

frank_buettner
Explorer

Yes, I'm using the sendemail command within the search app context.

0 Karma

frank_buettner
Explorer

sry for the late response:
- in Splunk I'm logged in as Administrator
- sendresults=true doesn't make a difference
- in the Browser, the result of the query is shown (one event)

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...