I have a use case where I want to send replies using a separate email address than the default address of Splunk. What I'm trying to achieve is :
Any help will be highly appreciated.
Give try to this with ;
sendemail command where you can specify multiple from and different SMTP servers:
Note: Make sure the connectivity between splunk server and SMTP server
action.email.mailserverattribute to this saved search.
If you are using Splunk ES and adaptive response of the Email, one approach [ not a clean one] would be to have 1 correlation search for specific host for informationawareness and another correlation search for rest of them and update the action.email.mailserver, it should still work.
Tried that. Doesn't work. I guess it has something to do with the configuration of the mail I'm trying to use. Unless I open the port on my search head and the mailbox server, and establish the basic SMTP connection, I won't be able to use it. Just wanted to figure out where should I put those SMTP settings in Splunk, I mean inside which configuration file. And how ill that stanze be designed in order to get it executed.
If you use Splunk Web then click on
Settings->Saved Searches-> <Alert Name>-> Edit -> Advanced Edit and override
action.email.from, by default
Defaults to splunk@<LOCALHOST> (or whatever is set in alert_actions.conf).
Tried that. Doesn't work since the SMTP server and settings of the mail id that I want trigger the alert from, email@example.com, are different. From what I figure, I may need to specify the settings of the mail ID within my search head, so that Splunk reads and uses it for this particular alert, which is giving me the field "User email", and use the email addresses present inside the field and reply to them individually. I want all of the other emails going from Splunk using the default ID itself.
So based on your comment, I am assuming that you are running single schedule search which has
User Email field and you want to send email to all those email id but you want different
from email address for certain users(email id) only ??
Correct. I am running a scheduled search, which triggers conditions per event, picks out an email address from the User email field, and sends it a pre-drafted email. It does the same for all the email addresses which are produced when the search runs. But for this particular search, I want to use a different "from email address", which would be firstname.lastname@example.org, instead of the default email address of Splunk, which in my case is email@example.com. I want all of my other searches to use the default email address of splunk, which is firstname.lastname@example.org, like they are doing as of now.
Sorry for such a delay in response. Here is the savedsearch.conf.
action.email = 1
action.email.include.search = 1
action.email.include.view_link = 0
action.email.inline = 1
action.email.sendcsv = 1
action.email.sendpdf = 1
action.email.sendresults = 1
action.email.to = senders
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.param.verbose = 0
action.threat_add.param.verbose = 0
alert.track = 0
Here is the alert_actions.conf
[name of the alert]
subject="My subject as mentioned in the alert"
mailserver=local mail server:port number as defined
Yes, both of them have different SMTP relay servers. I thought about the alert_actions.conf file, just am not sure on how to edit it to use just for this particular alert, and leave the default ID for the rest of the things.