Hello @eduardKiyko,
your observation is correct, the appinspect checks action.mail.to only and ignores action.mail.cc
@splunk_appinspect.tags("splunk_appinspect", "savedsearches")
@splunk_appinspect.cert_version(min="1.1.8")
def check_for_emails_in_saved_search(app, reporter):
"""Check that email alerts (action.email.to) set in `savedsearches.conf`
do not have a default value.
"""
saved_searches = app.get_saved_searches()
if saved_searches.configuration_file_exists():
file_path = os.path.join("default", "savedsearches.conf")
for search in saved_searches.searches():
for key, value in iteritems(search.args):
if key == "action.email.to":
reporter_output = (
"The saved search {} has specified the"
" `action.email.to` property with a"
" provided value. This should be left"
" empty or removed. File: {}, Line: {}."
).format(search.name, file_path, value[1])
if value:
reporter.fail(reporter_output, file_path, value[1])
else:
reporter_output = "No savedsearches.conf exists."
reporter.not_applicable(reporter_output)
you can remove action.mail.to to pass the appinspect and find a way to use it in local/savesearches.conf
... View more