Adaptive Response Action Send email not sending re...

MaverickT · ‎04-29-2021

We made a clean installation of on-prem Splunk Enterprise 8.0.9 and Enterprise Security 6.4.0. When correlation search returns results, we would like to append these results to an email via adaptive response action "Send Email". We had selected the option to include an inline-table, but regardless of this setting, the table with results is still not added to the email.

There are two additional findings we discovered:

If we try to append results of standard alert search (non-correlation search) to an email it works.
If we set sendresults = 1 in $SPLUNK_HOME/etc/system/local/alert_actions.conf it also works but not for all correlation searches...

Has anybody encountered such problems and how did you solve it?

thangbui · ‎08-01-2021

I am also facing this problem. Does anyone have a solution to this problem yet?

teunlaan · ‎08-01-2021

Made a report to Splunk > Fixed in ES 6.6.0

Workaround: openen your alert in "searches, reports & Alerts" and Save it again. then it should work

thangbui · ‎08-09-2021

Thank you so much, It's worked for me!

teunlaan · ‎07-14-2021

Did you get a solution for this?

We are seeing the same thing.

I did some tests and it looks like the following option in not set in the savedsearches.conf :

action.email.sendresults = 1

It always is 0 (and doesnt send anything) whatever you select.

Adaptive Response Action Send email not sending results

notable event

troubleshooting

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?