As part of https://community.splunk.com/t5/forums/replypage/board-id/splunk-alerting/message-id/9866 , I upgraded the installation of Splunk Enterprise from v8.0.6 to v8.1.0 (latest as of writing). Due to the new feature Allowed Email Domains, this changed the error to the following: 2020-10-21 15:09:37,597 +0100 ERROR sendemail:1599 - 'action.email.allowedDomainList'
Traceback (most recent call last):
File "/opt/splunk/etc/apps/search/bin/sendemail.py", line 1592, in <module>
results = sendEmail(results, settings, keywords, argvals)
File "/opt/splunk/etc/apps/search/bin/sendemail.py", line 469, in sendEmail
ssContent['action.email.allowedDomainList'] = ssContent['action.email.allowedDomainList'].strip()
KeyError: 'action.email.allowedDomainList' Weirdly, /en-GB/manager/search/admin/alert_actions/email?action=edit → Allowed Domains is marked with an asterisk as if it's required (which the above behaviour would suggest) but says Leave empty for no restriction. As this is a new feature, I just put this down to a bug, added our recipient domain name anyway, and verified that it pushed to the advanced settings of the alert but doing so didn't make a difference - the same errors continued. In file /opt/splunk/etc/apps/search/bin/sendemail.py, I added the lines beginning with logFile in the following block of code: logFile.write("ssContent action.email.allowedDomainList before: {}\n".format(ssContent.get('action.email.allowedDomainList')))
logFile.write("alertContent allowedDomainList before: {}\n".format(alertContent.get('allowedDomainList')))
ssContent['action.email.allowedDomainList'] = ssContent['action.email.allowedDomainList'].strip()
logFile.write("ssContent action.email.allowedDomainList stripped: {}\n".format(ssContent.get('action.email.allowedDomainList')))
if ssContent.get('action.email.allowedDomainList') != alertContent.get('allowedDomainList'):
ssContent['action.email.allowedDomainList'] = alertContent['allowedDomainList']
logger.warn("For alert=%s, the 'allowedDomainList' value is always obtained from alert_actions.conf."
"The allowedDomainList=%s" % (ssname, alertContent.get('allowedDomainList')))
if alertContent.get('allowedDomainList') != "":
if ssContent.get('action.email.mailserver') != alertContent.get('mailserver'):
ssContent['action.email.mailserver'] = alertContent['mailserver']
logger.warn("For alert=%s, if a 'allowedDomainList' is specified, it uses the 'mailserver'=%s in alert_actions.conf." %
(ssname, ssContent.get('action.email.mailserver')))
logFile.write("action.email.allowedDomainList after: {}\n".format(ssContent.get('action.email.allowedDomainList')))
logFile.write("alertContent allowedDomainList after: {}\n".format(alertContent.get('allowedDomainList'))) The log file contains the following: ssContent action.email.allowedDomainList before: None
alertContent allowedDomainList before: <my domain>
ssContent action.email.allowedDomainList before: None
alertContent allowedDomainList before: <my domain>
ssContent action.email.allowedDomainList before: None
alertContent allowedDomainList before: <my domain> So, given that it's not even getting passed .strip(), I can only assume that this is a bug. Also, this 365 account was provisioned for me and I trust the person who did so but I thought I should check that the credentials are valid and found that the password was required to be changed. So, I've set a new password, verified access, and updated Splunk. However, doing so didn't make a difference either.
... View more