Adaptive Response Action Send email not sending re...

MaverickT · ‎04-29-2021

We made a clean installation of on-prem Splunk Enterprise 8.0.9 and Enterprise Security 6.4.0. When correlation search returns results, we would like to append these results to an email via adaptive response action "Send Email". We had selected the option to include an inline-table, but regardless of this setting, the table with results is still not added to the email.

There are two additional findings we discovered:

If we try to append results of standard alert search (non-correlation search) to an email it works.
If we set sendresults = 1 in $SPLUNK_HOME/etc/system/local/alert_actions.conf it also works but not for all correlation searches...

Has anybody encountered such problems and how did you solve it?

thangbui · ‎08-01-2021

I am also facing this problem. Does anyone have a solution to this problem yet?

teunlaan · ‎08-01-2021

Made a report to Splunk > Fixed in ES 6.6.0

Workaround: openen your alert in "searches, reports & Alerts" and Save it again. then it should work

thangbui · ‎08-09-2021

Thank you so much, It's worked for me!

teunlaan · ‎07-14-2021

Did you get a solution for this?

We are seeing the same thing.

I did some tests and it looks like the following option in not set in the savedsearches.conf :

action.email.sendresults = 1

It always is 0 (and doesnt send anything) whatever you select.

Adaptive Response Action Send email not sending results

notable event

troubleshooting

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?