Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Alert email is not working

sbollam
Explorer
‎01-29-2024 09:19 AM

Hello All,

I have created an Alert with the following query, Issue I'm having here is, I'm not receiving email alert even if the condition is met and events are returned.

 

| dbxquery query="SELECT eventTriggeredDate, APPLICATION_NAME, APPLICATION_NAMEENV, APPLICATION_GROUP, eventChain, eventType, eventMessage, eventMod, eventRule, eventSeverity FROM Admin.console.v_ES_RelevantEvents55 WHERE eventTriggeredDays <= 7 AND (APPLICATION_NAME='ABC_PRD' OR APPLICATION_NAME='XYZ-PRD') AND APPLICATION_NAMEENV='PRD'" connection="TESTING_DEV"
| lookup users_email.csv "Application Name" as APPLICATION_NAME OUTPUT "Admin email" as Admin_email "QA email" as QA_email "Developers email" as Developers_email
| lookup policy_details.csv policy_name as eventRule OUTPUT policy_description
| eval users_mail = Admin_email.",".Developers_email.",".QA_email
| stats count as Total_Events values(eventChain) as "Event Policy/Rule" values(eventType) as "Event Type" values(eventMod) as "Event Mod/Policy" values(eventRule) as "Event Rule" values(users_mail) as users_mail values(eventMessage) as eventMessage values(policy_description) as policy_description by APPLICATION_NAME, eventSeverity
| eval eventMessage=mvindex(eventMessage, 0, 20)
| where Total_Events > 10
| table APPLICATION_NAME, Total_Events, eventSeverity, "Event Type", "Event Rule", users_mail, eventMessage, policy_description
| rename APPLICATION_NAME as application_name, Total_Events as number_of_events, eventSeverity as event_severity, "Event Type" as event_type, "Event Rule" as event_rule, eventMessage as event_message

 

I have given email list as $result.users_mail$, the values from the filed users_mail. I see the alert being triggered but i don't receive an email. Also is there a way we can add external links to the Splunk Alerts?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-29-2024 11:21 AM

Look in the internal python.log for "sendemail" to see if Splunk had a problem sending the email to your SMTP server.  If there's nothing there then contact your email admin for help.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...