Solved: AuthorizationFailed: [HTTP 403] Client is not auth...

impurush · ‎10-30-2020

I am trying to send an email with the help of the make results command in the splunk search but I am not receiving the email and getting the below error.

Error:

2020-10-30 12:45:21,129 -0400 ERROR sendemail:1428 - [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8289/servicesNS/admin/cams/search/jobs/subsearch_asfd29470124adsfa319841023e?outpu...
Traceback (most recent call last):
File "/app/splunk/etc/apps/search/bin/sendemail.py", line 1421, in <module>
results = sendEmail(results, settings, keywords, argvals)
File "/app/splunk/etc/apps/search/bin/sendemail.py", line 400, in sendEmail
jobResponseHeaders, jobResponseBody = simpleRequest(uriToJob, method='GET', getargs={'output_mode':'json'}, sessionKey=sessionKey)
File "/app/splunk/lib/python2.7/site-packages/splunk/rest/__init__.py", line 559, in simpleRequest
raise splunk.AuthorizationFailed(extendedMessages=uri)
AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8289/servicesNS/admin/cams/search/jobs/subsearch_asdfasljfd9147192034ejdlajff?outp...

Query
<My query>
| map search="| makeresults
| eval attribute=\"$value$\"
| table attribute
| sendemail to=\"myemail@id.com\"
content_type=\"html\"
message=\"Test message\""

Any help would be appreciated and Thanks in advance.

impurush · ‎11-03-2020

I have found the workaround solution and thanks to @ayush1906 for pointing out the right one.
Attaching the link below for the solution and marking as the right solution to close this thread.

https://community.splunk.com/t5/Alerting/Send-same-email-alert-to-different-email-ids-based-on-a/m-p...

View solution in original post

impurush · ‎11-03-2020

I have found the workaround solution and thanks to @ayush1906 for pointing out the right one.
Attaching the link below for the solution and marking as the right solution to close this thread.

https://community.splunk.com/t5/Alerting/Send-same-email-alert-to-different-email-ids-based-on-a/m-p...

impurush · ‎11-02-2020

Looks like this is a known issue SPL-169625 which will be fixed in a later version.
I will close this thread if I get any workaround solution.
Please let me know if you have come across this issue and a workaround.

impurush · ‎11-02-2020

Additionally, I tried to create a new user and assigned all the capabilities.
Then I tried to run the query or search from the user, but still, I got the same issue.

richgalloway · ‎10-30-2020

Depending on which version of Splunk you're using, you may need the admin_all_objects capability to use the sendemail command.

---
If this reply helps you, Karma would be appreciated.

impurush · ‎10-30-2020

Hi @richgalloway

I am currently using Splunk Enterprise 8.0.1 and I login as an admin user.
I have verified that the capability is assigned to this role but still it does not working.
However, the sendemail command is working when I used straight forward which means as below:

<my query>
| sendemail <details>

But I am getting the error in the python log when I use it in makeresults command as I mentioned in the initial question.

AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action;

subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation