Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Where are the failures of sendemail logged in?

danielbb
Motivator
‎11-28-2022 10:53 AM

Does anybody know where the failures of sendemail are being logged? I wonder about cases where the e-mail address no longer exists and what type of error is generated and where. _internal and _audit don't seem to have this data.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-29-2022 03:10 AM

There are two possible cases here.

1) The sendemail command (or the equivalent alert action) is unable to submit the email for delivery to the immediate SMTP server (due to bad/lack of authentication, network problems and so on). Those kinds of problems will be reported as logs from sendemail.py as @nyc_jason already showed

2) The email is properly submitted to the SMTP server but the delivery process doesn't complete properly (due to one of the many possible problems that can happen in email path) - well, then you have to troubleshoot your email system just like you would do with any other email. If the email generated from Splunk has some deliverable From address configured you might want to check the corresponding mailbox to see whether there were no delivery problem reports generated.

Reply

yuanliu
SplunkTrust
SplunkTrust
‎11-29-2022 01:27 AM

Are you looking for logs from your actual mail transfer agent (aka SMTP server) or an existing source in Splunk?  Unless you actually ingest mail log, it won't be available.

When you say "e-mail address no longer exists," you don't mean that outlook.com used to exist but no longer, but a user's mailbox used to exist but no longer.  Is this correct?  Unless the server is rejecting connection (e.g., outlook.com all in a sudden stopped), Splunk submits data and will have no knowledge about mail handling.  Only the MTA log will contain what you needed.

Reply

danielbb
Motivator
‎11-30-2022 01:57 PM

Great. What sort of errors _does_ sendemail report on?

0 Karma
Reply

nyc_jason
Splunk Employee
Splunk Employee
‎11-28-2022 11:30 AM

try this:
index=_internal source=*python.log sendemail

Reply

danielbb
Motivator
‎11-28-2022 01:23 PM

Thank you, but unfortunately it doesn't show the failures.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...