Alerting

Why is my triggered alert email not sending?

jbouch03
Path Finder

Hi,
I'm having an issue with my Splunk server. I'm trying to setup some alerts, and have entered all my email relay data under the email settings. As a test, I created an alert that contains the following search:

index=_internal | head 1 

The alert is triggered, but I don't receive an email. I have checked the mail relay and it seems like the message is going through. But I still don't receive anything. As another test I did the following search:

index=_internal | head 1 | sendemail to="<my email address>" format=raw sendresults=1 server=<smtp relay> footer="Sent from Splunk." from="SplunkAlerts" subject="Splunk Alert" message="The following Splunk Alert has been fired:"

When I run this search I receive the email. Is their something I'm missing in my configuration for the alerts? Any help that you can provide would be greatly appreciated.

1 Solution

jbouch03
Path Finder

I found the issue. It wasn't with Splunk or the mail relay. The external exchange server that we need to use (provided by our parent company) was marking it as spam. Still can't figure out why the manual search didn't get marked as spam, but the alert did; however, its working now. Thanks for all your help.

View solution in original post

jbouch03
Path Finder

I found the issue. It wasn't with Splunk or the mail relay. The external exchange server that we need to use (provided by our parent company) was marking it as spam. Still can't figure out why the manual search didn't get marked as spam, but the alert did; however, its working now. Thanks for all your help.

amanediel
Explorer

Hi @jbouch03,

How did you find this issue?

ppanchal
Path Finder

How did you identify that the external server was marking the email as spam. Is there a way we can search for all the spam marked emails in splunk?

the_wolverine
Champion

Check the ~/splunk/var/log/splunk/python.log which is where all the sendemail errors will be written.

Sir_SplunkALot
Engager

Thank you for this!! I was having the exact same issue and couldn't figure out why until I read this thread. Apparently the Splunk SH we were using wasn't setup to send mail in general. We tried another search head and it worked perfectly. This helped A LOT!

0 Karma

bkondakindi
Path Finder

have you configured mail servers on splunk side ?

check the alerts.conf file.

0 Karma

jbouch03
Path Finder

the alert_actions.conf is configured. Is there a separate .conf file that needs to be configured?

0 Karma

eholz1
Contributor

on splunk 7.3.1 there is no such thing as an alerts.conf file

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Anything suspicious in index=_internal source=*python.log?

0 Karma

jbouch03
Path Finder

As far as I can tell everything looks correct. I get the INFO statements but I don't see any ERROR or WARN flags.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...