Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Alert email is not working

sbollam
Explorer
‎01-29-2024 09:19 AM

Hello All,

I have created an Alert with the following query, Issue I'm having here is, I'm not receiving email alert even if the condition is met and events are returned.

 

| dbxquery query="SELECT eventTriggeredDate, APPLICATION_NAME, APPLICATION_NAMEENV, APPLICATION_GROUP, eventChain, eventType, eventMessage, eventMod, eventRule, eventSeverity FROM Admin.console.v_ES_RelevantEvents55 WHERE eventTriggeredDays <= 7 AND (APPLICATION_NAME='ABC_PRD' OR APPLICATION_NAME='XYZ-PRD') AND APPLICATION_NAMEENV='PRD'" connection="TESTING_DEV"
| lookup users_email.csv "Application Name" as APPLICATION_NAME OUTPUT "Admin email" as Admin_email "QA email" as QA_email "Developers email" as Developers_email
| lookup policy_details.csv policy_name as eventRule OUTPUT policy_description
| eval users_mail = Admin_email.",".Developers_email.",".QA_email
| stats count as Total_Events values(eventChain) as "Event Policy/Rule" values(eventType) as "Event Type" values(eventMod) as "Event Mod/Policy" values(eventRule) as "Event Rule" values(users_mail) as users_mail values(eventMessage) as eventMessage values(policy_description) as policy_description by APPLICATION_NAME, eventSeverity
| eval eventMessage=mvindex(eventMessage, 0, 20)
| where Total_Events > 10
| table APPLICATION_NAME, Total_Events, eventSeverity, "Event Type", "Event Rule", users_mail, eventMessage, policy_description
| rename APPLICATION_NAME as application_name, Total_Events as number_of_events, eventSeverity as event_severity, "Event Type" as event_type, "Event Rule" as event_rule, eventMessage as event_message

 

I have given email list as $result.users_mail$, the values from the filed users_mail. I see the alert being triggered but i don't receive an email. Also is there a way we can add external links to the Splunk Alerts?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-29-2024 11:21 AM

Look in the internal python.log for "sendemail" to see if Splunk had a problem sending the email to your SMTP server.  If there's nothing there then contact your email admin for help.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...