Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I get the alert emails sent out with multiple email addresses on one email instead of individual emails?

upcounselnick
Explorer
‎04-18-2016 12:52 PM

In the version of Splunk Light we were self hosting (6.2.2) we could just add everyone in the 'To' field, and it would send a single email out to all of us together. I even remember this from past times I've used Splunk Enterprise.

NOW in SLC 6.3, it sends individual emails to each person. This isn't ideal for us because we like to be able to reply all and let everyone know we're handling something.

I've tried using the 'CC' field, but that still sends individual emails as well so it seems like there's not much of a difference. You'd think CC would actually CC users to one email, but instead it's actually sending out individual emails with an empty To email.

Something could have fundamentally changed in one of the most recent versions of Splunk, and I'm trying to get to the bottom of it. This seems like a bug to me.

Reply

ChrisG
Splunk Employee
Splunk Employee
‎04-19-2016 12:10 PM

Splunk QA has confirmed that this is a bug, now logged as AMI-4340. I will update this posting when I have more information about a fix.

Reply

upcounselnick
Explorer
‎04-19-2016 12:11 PM

Thanks Chris!

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎07-19-2016 04:01 PM

The fix was pushed to production today.

Reply

upcounselnick
Explorer
‎07-19-2016 04:31 PM

excellent. thanks Chris!

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎04-18-2016 01:36 PM

Initial investigation by QA indicates that this is an issue specifically with the cloud version. They confirmed that the on-premises versions of Splunk Light and Splunk Enterprise both correctly handle email alerts with multiple recipients. We will update this posting again when we have more information.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎04-18-2016 03:56 PM

I'm curious if you can work around this by putting an array into the to field like this '["email@address.com","email2@address.com"]'

0 Karma
Reply

upcounselnick
Explorer
‎04-18-2016 04:04 PM

Getting a validation error: "In handler 'savedsearch': One of the email addresses in 'action.email.to' is invalid"

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎04-18-2016 04:17 PM

Can you try it without the square brackets too?

0 Karma
Reply

upcounselnick
Explorer
‎04-18-2016 04:27 PM

Same thing.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎04-18-2016 04:49 PM

Sorry I'm just a guy who tries every combo possible... I'd even try escaping the squar brackets

0 Karma
Reply

upcounselnick
Explorer
‎04-18-2016 05:02 PM

No problem. I thank you for your help. I'll try messing around with some different combinations to see if I can outsmart it. 🙂

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...