Splunk Enterprise

Unable to send email using 'sendemail' command

New Member

I'm trying to use the Splunk CLI to send out an email using the following search:

/opt/splunk/bin/splunk search "host= source="/var/log/secure" for * from * earliest=-59m latest=now | sendemail to="jared99@gmail.com" format="html" server=smtp.gmail.com:587 use_tls=1"

I have tested the first part of the command (before the '|' pipe) and it definitely works. However, it seems like no email is actually being sent.

Upon inspecting /opt/splunk/var/log/splunk/python.log, I see the following error:

2019-01-21 16:55:37,975 +0800 ERROR     sendemail:1341 - 'action.email.sendresults'

Inspecting /opt/splunk/etc/apps/search/bin/sendemail.py only reveals that the region around line number 1341 contains the following code:

 1326  def getAlertActions(sessionKey):
  1327      settings = None
  1328      try:
  1329          settings = entity.getEntity('/configs/conf-alert_actions', 'email', sessionKey=sessionKey)
  1331          logger.debug("sendemail.getAlertActions conf file settings %s" % settings)
  1332      except Exception as e:
  1333          logger.error("Could not access or parse email stanza of alert_actions.conf. Error=%s" % str(e))
  1335      return settings
  1337  results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults()
  1338  try:
  1339      results = sendEmail(results, settings)
  1340  except Exception, e:
  1341      logger.error(e)
  1342  splunk.Intersplunk.outputResults(results)

Would appreciate if anyone could shed some light on how to get this working. Many thanks in advance!

0 Karma


You should find more details in splunkd.log and in the search log (via Job Inspector).

If this reply helps you, an upvote would be appreciated.
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!