Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Allow Usergroups to send Email

florianhh
Explorer
‎11-05-2021 03:43 AM

Hello Splunkys 

i Face some challanges right now.

We run a Splunk Installation with about 50 Active Users with 10Different Roles.

Now we have the need for allowing them to send them selfs alert Messages via EMAIL.

First Problem: 

According to to the Docs its not possible to send a email if your not a Admin and the SMTP server needs authentication. 

Secound Problem,

you can not set up per role or per user sender info only system wide via GUI.

 

I found out that you can supply username= and Password= parameters via SPL search but this do not apply to alerts. And the Creds then show up in plaintext in the logs. 

I found that you can supply creds via alert_action.conf file per app. But then the creds would show up in the git_repo where we version our apps. 

 

Some .conf files honor ENV variables but i did not find if alert_action.conf would do so?

And then they would be still accessable by CLI.

 

Can it be so hard for Splunk to implement something so basic as per User email sending?

 

Has somebody accived something similar ?

  

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-05-2021 04:58 AM

Yes, it is hard to implement it in a way that would not be easily abuseable (intentionally or not).

Unfortunately, due to its history SMTP has many built-in insecurities that allow for easy abusing the email-sending functionality if you're not careful enough. And it's usually not a good idea to allow your users to send email freely, especially using any server they want.

0 Karma
Reply

florianhh
Explorer
‎11-05-2021 05:24 AM

Your absolute right about that.

BUT i'm realy suppriced that splunk, what is a expensive pice of software only used by Security and Admin staff would have figured this out by now. 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-05-2021 05:40 AM

And here's where you're absolutely wrong 🙂

Firstly, the console is used very often not just by admins and security (Splunk can and often does ingest and analyze many types of data - for example, I'm using it to track my car using GPS data :D).

Secondly - there is a legitimate way to send the emails - the proper alert action. And it's more or less the only way you really should need (and I'm not saying it as a splunk user or admin but as a 20+ years experienced email servers administrator).

And if you really, really need the functionality of sending any email to any recipient through any server, you can always write your own alertaction script. But I would strongly advise against it.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...