im looking for a solution that i will be able to monitor if emails stopped receiving , not for troubleshoot for specific issue

we know for sure that Splunk had issue with sending emails during this time so for sure its in splunk's end 

You can try to send email and then check those events from internal

1st send email e.g.

index=_internal sourcetype=splunkd
| head 1
| sendemail to="your.email@your.domain" subject="testing"

After that you should get at least this event from internal

index=_internal  sourcetype=splunk_python sendemail source="/opt/splunk/var/log/splunk/python.log"

 Of course it needs that your previous command has worked w/o issues.

It needs also access to _internal logs. There could be also need for some capabilities to send email.

im getting the log
all the logs are in level INFO
I know for sure that splunk had an issue with sending emails at specific time but i cannot see any logs in _internal

Have you tried my examples? If you can send email and you have access those internal logs then there are at least one log line. If you cannot see those then you haven't have access to those logs to see it.

2025-06-11 18:39:08,616 +0300 INFO	sendemail:275 - Sending email. sid=1749656347.70143, subject="testing", encoded_subject="testing", results_link="None", recipients="['your.email@your.domain']", server="localhost"

How you are sure that the issue is with splunk? Have you some logs which shows that e.g. alert is fired and it has try to send it via sendemail? For that reason I suggest 1st check that sending email is working and after that start to look why your alerts are not sending it. And quite often then the reason was that alert hasn't fired.

Hello

I know for sure that its Splunk end because Splunk told us that they had issue with sending emails

Im getting the logs after running your example 

I want to monitor such behavior myself and not count on Splunk to update me when such thing is happening 

Hi @sarit_s6 
I understand, unfortunately access to the relay logs is not possible. 

When you say that its a problem at Splunk end, do you mean with Splunk's relay server or within your own cloud environment? SplunkCloud sends emails to a local relay before being sent out of Splunk's infrastructure. 

Even if your alerts fired successfully, it may not show errors sending the emails in your Splunk _internal logs because the failure happens between Splunkd (your actual Splunk process) and an external dependency. 

As I said, Splunk Support should be able to access their relay logs and validate where the issue is coming from, but either way - it is not possible for you to directly monitor for failures against the remote SMTP service, you might see some errors if your instance is unable to reach the local relay but also not guaranteed. I wasnt able to find any Splunk apps which monitor the local SMTP connection directly.

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing