Hi, I am using splunk 8.0.1 on windows OS with Python3. With help of @woodcock answer from https://answers.splunk.com/answers/489475/how-configure-an-alert-to-send-an-email-based-on-f.html I was ...
See more...
Hi, I am using splunk 8.0.1 on windows OS with Python3. With help of @woodcock answer from https://answers.splunk.com/answers/489475/how-configure-an-alert-to-send-an-email-based-on-f.html I was trying below search-
Your Base Search Here
| outputlookup MyTempLookup.csv
| stats count by EmailContact
| map maxsearches=9999 search="|inputlookup MyTempLookup.csv
| search EmailContact=$EmailContact$
| sendemail to=\"$EmailContact$\" format=raw subject=myresults sendresults=true"
But the search is returning results but it is not sending any mail. and when I checked internal logs below error I observed-
ERROR sendemail:1428 - [HTTP 403] Client is not authorized to perform requested action;
Traceback (most recent call last):
File "D:\Program Files\Splunk\etc\apps\search\bin\sendemail.py", line 1421, in <module>
results = sendEmail(results, settings, keywords, argvals)
File "D:\Program Files\Splunk\etc\apps\search\bin\sendemail.py", line 400, in sendEmail
jobResponseHeaders, jobResponseBody = simpleRequest(uriToJob, method='GET', getargs={'output_mode':'json'}, sessionKey=sessionKey)
File "D:\Program Files\Splunk\Python-3.7\lib\site-packages\splunk\rest\__init__.py", line 559, in simpleRequest
raise splunk.AuthorizationFailed(extendedMessages=uri)
splunk.AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action
Note- If I try using only sendemail command then it is working and I am able to receive email. Is there anything needs to be modified in sendemail.py command for python3.
Below sample query I tried but it is not sending any email-
index=_internal|stats count by sourcetype|eval EmailContact=if(sourcetype="splunkd","email@id.com","email2@id.com")
| outputlookup MyTempLookup.csv| stats values(EmailContact) AS emailToHeader| mvexpand emailToHeader| map search="|inputlookup MyTempLookup.csv | where EmailContact=\"$emailToHeader$\"
| fields - EmailContact
| sendemail
sendresults=true inline=true
to=\"$emailToHeader$\"
subject=\"Your Subject here: \"
message=\"This report alert was generated by \$app\$ Splunk with this search string: \"
Any idea what mistake I am doing in above query. Thanks.