Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Re: Using Wildcards in allowedDomainList
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After upgrade to version 9.4 I have attempted to configure a list of acceptable domains for the alert_actions.conf.
My environment has a *wide* variety of acceptable email sub-domains which have the same base.
However, the domain matching appears to the strict and wildcards are not matching. For example, users may have emails like:
Setting an allow domain like *.mydomain.com does not match the users and they are removed from alerts and reports.
Does any one have a workaround other than adding every possible sub-domain?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @drodman29
Unfortunately it isnt possible to use wildcards in the allowedDomainList for emails, check out the following snippet of code where the checks are made:
domains.extend(sec.EMAIL_DELIM.split(ssContent['action.email.allowedDomainList']))
domains = [d.strip() for d in domains]
domains = [d.lower() for d in domains]
recipients = [r.lower() for r in recipients]
for recipient in recipients:
dom = recipient.partition("@")[2]
if not dom in domains:
logger.error("For subject=%s, email recipient=%s is not among the allowedDomainList=%s >
% (ssContent.get('action.email.subject'), recipient, ssContent.get('action>
else:
validRecipients.append(recipient)This takes the value of allowedDomainList, splits it and converts to lowercase then checks if the second half (the domain) is in the list of domains. There is no regex matching etc so wildcarding isnt possible.
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @drodman29
Unfortunately it isnt possible to use wildcards in the allowedDomainList for emails, check out the following snippet of code where the checks are made:
domains.extend(sec.EMAIL_DELIM.split(ssContent['action.email.allowedDomainList']))
domains = [d.strip() for d in domains]
domains = [d.lower() for d in domains]
recipients = [r.lower() for r in recipients]
for recipient in recipients:
dom = recipient.partition("@")[2]
if not dom in domains:
logger.error("For subject=%s, email recipient=%s is not among the allowedDomainList=%s >
% (ssContent.get('action.email.subject'), recipient, ssContent.get('action>
else:
validRecipients.append(recipient)This takes the value of allowedDomainList, splits it and converts to lowercase then checks if the second half (the domain) is in the list of domains. There is no regex matching etc so wildcarding isnt possible.
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@livehybrid has already been explained in the community post linked below — kindly take a look.
Solved: Why does my Email Allowed Domain List in Alert Act... - Splunk Community
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does not answer the question. I know how to set this. I don't want to explicitly list every possible domain. I want a wildcard for the sake of maintenance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@drodman29
As mentioned by everyone,
The action.email.domain_allowlist setting in alert_actions.conf performs a strict, literal string match against the domain part of the email address. It does not natively support wildcards like *.mydomain.com
So, when you set action.email.domain_allowlist = *.mydomain.com, Splunk is literally looking for an email address like user@*.mydomain.com, which is not a valid email domain format and thus won't match a@temp.mydomain.com or b@perm.mydomain.com
So i believe possible workaround you can do is Scripted Alert Action options.
Instead of using the built-in sendemail alert action directly from the Splunk UI for these specific alerts, you configure the alert to trigger a custom script.
Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
