I see a strange issue on my Splunk, There is a scheduled alert to run every 15 minutes and I got an undeliverable alert for a user. When I go back to check, the user's email is not configured/maybe removed by someone but I still get the undeliverable email every time the schedule runs. Is there any place where I can check why it is triggering?
Please what version are you using ???
Because i have a problem with sending mail : inuse a correct password but splunk didnt accept it so let me change the version, i'm using 8.2.5 and you ??
if the email isn't delivered, at first you have to check if the problem is only on this alert or it's present in all the alerts and scheduled reports.
If it's present for all alerts, at first check the eMail configuration at [Settings -- Server Settings -- eMail Settings].
Then you have to check if the connection between the Splunk server and the eMail server is open.
If instead the problem is only on this alert, you have to check at first if te alert was triggered and you can see this on [Activity -- Triggered alerts] and check if there's a triggered alert for this alert.
If not, there's a problem at alert level, if yes, the problem is in email sending.
In the first case, you have to check the alert and see if the search is correct and gives results, using the time period of the alert to trigger.
In the second case you have to analize the email, e.g. sometimes some emails are blocked because the message lenght or the attachment dimension is too high.
You can see this in _internal index searching "sendemail" or "email not sent".
Hi @gcusello ,
The email and SMTP are OK, As the other users are receiving emails and other alerts are fine
The failed email notification shows 5 emails and when I checked the alert schedule there are only 4 emails let's say firstname.lastname@example.org is missing in the schedule. Is there a way to check if this is a stale entry in a config file? Will there be any config file that stores the email recipients? will a Splunk restart force Splunk to pick the recipients present in the alert schedule?
email association to alerts is in savedsearches.conf and you can also see them using REST command.
As I said i hint to check the dimension of the mail message and/or of the attachement: frequently this is the problem.
Hello @gcusello ,
I found that the email is failing because the user left the organization. The other 4 people are receiving the email fine. I reviewed the savedsearches.conf for the specific alert and do not see the user's email id. Even on the console it just shows the 4 current users. But the failure email shows 5 emails 4 current users and 1 user who left the organization. This is definitely a stale entry. Restarting Splunk did not fix the issue. Any other way to look into this?
see in the alert action, the emailis surely configured there.
Check if the configured email is correct and if it's configurated a mailing list, in this case the problem is in the mailing list.