Re: alerts

shakti · ‎04-14-2024

Hello,

I am facing same issue as you ...I am not receiving email alerts from splunk ....Instead of localhost what name should I kept for mail server host name? Could you please suggest

PickleRick

OK. Let me jump in with some organizational stuff.

1. The Answers forum is not a free support service. It's a platform for users to exchange knowledge and help each other. So it's very useful if the threads are appropriately named - it makes searching in the future way easier.

2. When you're creating a new thread and writing "I'm facing the same issue as you" what are you refering to? What issue? Who's facing? If you're refering to other issue reported elsewhere, post a link for reference.

3. Please provide as much info as you can to help people help you - for example, the information that your alerting used to work OK and suddenly stopped is a very important knowledge. You also posted the first - less important - line from the sendemail log - the next line should contain the actual error.

And more to the point - if something used to work and doesn't do that anymore, something must have changed. If you're absolutely sure (and double-checked it) that nothing changed on your side - something must have changed in the environment your Splunk is located in. Maybe the mail server's settings have changed, maybe your organization's firewall policies changed. Maybe you need to authenticate when sending outgoing email and the user/password you're using is no longer valid. Have you verify if you have connectivity to your configured email server from your search head? Did you try to manually connect to the server and initiate SMTP transaction? Did you get any errors?

marnall · ‎04-14-2024

Which email provider are you planning to use? Do you have your own email server, or are you using gmail or another online email service?

shakti · ‎04-14-2024

I am using outlook as the external mail server ..Do you have any idea what value should I use in that mail server hostname?

marnall · ‎04-15-2024

As in outlook.com ? If so, there is an article here describing how to connect to it via SMTP: https://support.microsoft.com/en-us/office/pop-imap-and-smtp-settings-for-outlook-com-d088b986-291d-...

Enter the required credentials to your Splunk email settings, and it should work.

shakti · ‎04-17-2024

Hello ,

I have put the smtp server name in my email settings in splunk...but the issue is a bit complex , all the previous alerts/reports are coming on time which are created on splunk but only the one created by me lately are not coming ..

Any suggestions?

marnall · ‎04-17-2024

So you have previous alerts which send email successfully, but when you make new alerts, they do not send email?

shakti · ‎04-17-2024

Also , i have the following error which is generated for only one previous alert , if you could please look and see what other steps I can take , if that helps

2024-04-18 05:18:47,938 +0000 ERROR sendemail:187 - Sending email. subject="Splunk Alert: ITSEC_Backup_Change_Alert", encoded_subject="Splunk Alert: ITSEC_Backup_Change_Alert", results_link="*****", recipients="['it-security@durr.com']", server="********"

@marnall

marnall

What happens if you manually use the sendemail command?

| makeresults
| sendemail to="it-security@durr.com" subject="Test mail" message="Test mail message"

shakti

I am getting the following error :

command="sendemail", (*****SMTP; Client was not authenticated to send anonymous mail during MAIL FROM', '*****.com') while sending mail to: it-security@durr.com

marnall

This error would indicate an authentication problem. You should double-check your SMTP settings to ensure that they contain authentication settings for a valid account that can send email through your email provider.

PickleRick

This is a message saying that the server you're trying to send your emails with doesn't let you do so (at least not without proper authentication first). It's something you have work with your email server provider (or configure proper settings on your Splunk server).

shakti · ‎04-17-2024

Yes absolutely , the new alerts or reports that I am creating is unable to get notified through emails...If you have any suggestion kindly help

Cannot send email alerts

search job inspector

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!