I am trying to send an email with the help of the make results command in the splunk search but I am not receiving the email and getting the below error.
Error:
2020-10-30 12:45:21,129 -0400 ERROR sendemail:1428 - [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8289/servicesNS/admin/cams/search/jobs/subsearch_asfd29470124adsfa319841023e?outpu...
Traceback (most recent call last):
File "/app/splunk/etc/apps/search/bin/sendemail.py", line 1421, in <module>
results = sendEmail(results, settings, keywords, argvals)
File "/app/splunk/etc/apps/search/bin/sendemail.py", line 400, in sendEmail
jobResponseHeaders, jobResponseBody = simpleRequest(uriToJob, method='GET', getargs={'output_mode':'json'}, sessionKey=sessionKey)
File "/app/splunk/lib/python2.7/site-packages/splunk/rest/__init__.py", line 559, in simpleRequest
raise splunk.AuthorizationFailed(extendedMessages=uri)
AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8289/servicesNS/admin/cams/search/jobs/subsearch_asdfasljfd9147192034ejdlajff?outp...
Query
<My query>
| map search="| makeresults
| eval attribute=\"$value$\"
| table attribute
| sendemail to=\"myemail@id.com\"
content_type=\"html\"
message=\"Test message\""
Any help would be appreciated and Thanks in advance.
I have found the workaround solution and thanks to @ayush1906 for pointing out the right one.
Attaching the link below for the solution and marking as the right solution to close this thread.
I have found the workaround solution and thanks to @ayush1906 for pointing out the right one.
Attaching the link below for the solution and marking as the right solution to close this thread.
Looks like this is a known issue SPL-169625 which will be fixed in a later version.
I will close this thread if I get any workaround solution.
Please let me know if you have come across this issue and a workaround.
Additionally, I tried to create a new user and assigned all the capabilities.
Then I tried to run the query or search from the user, but still, I got the same issue.
Depending on which version of Splunk you're using, you may need the admin_all_objects capability to use the sendemail command.
Hi @richgalloway
I am currently using Splunk Enterprise 8.0.1 and I login as an admin user.
I have verified that the capability is assigned to this role but still it does not working.
However, the sendemail command is working when I used straight forward which means as below:
<my query>
| sendemail <details>
But I am getting the error in the python log when I use it in makeresults command as I mentioned in the initial question.