I'm trying to use the Splunk CLI to send out an email using the following search:
/opt/splunk/bin/splunk search "host=192.168.0.173 source="/var/log/secure" for * from * earliest=-59m latest=now | sendemail to="jared99@gmail.com" format="html" server=smtp.gmail.com:587 use_tls=1"
I have tested the first part of the command (before the '|' pipe) and it definitely works. However, it seems like no email is actually being sent.
Upon inspecting /opt/splunk/var/log/splunk/python.log, I see the following error:
2019-01-21 16:55:37,975 +0800 ERROR sendemail:1341 - 'action.email.sendresults'
Inspecting /opt/splunk/etc/apps/search/bin/sendemail.py only reveals that the region around line number 1341 contains the following code:
1326 def getAlertActions(sessionKey):
1327 settings = None
1328 try:
1329 settings = entity.getEntity('/configs/conf-alert_actions', 'email', sessionKey=sessionKey)
1330
1331 logger.debug("sendemail.getAlertActions conf file settings %s" % settings)
1332 except Exception as e:
1333 logger.error("Could not access or parse email stanza of alert_actions.conf. Error=%s" % str(e))
1334
1335 return settings
1336
1337 results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults()
1338 try:
1339 results = sendEmail(results, settings)
1340 except Exception, e:
1341 logger.error(e)
1342 splunk.Intersplunk.outputResults(results)
Would appreciate if anyone could shed some light on how to get this working. Many thanks in advance!
... View more