Alerting

Why is my triggered alert email not sending?

jbouch03
Path Finder

Hi,
I'm having an issue with my Splunk server. I'm trying to setup some alerts, and have entered all my email relay data under the email settings. As a test, I created an alert that contains the following search:

index=_internal | head 1 

The alert is triggered, but I don't receive an email. I have checked the mail relay and it seems like the message is going through. But I still don't receive anything. As another test I did the following search:

index=_internal | head 1 | sendemail to="<my email address>" format=raw sendresults=1 server=<smtp relay> footer="Sent from Splunk." from="SplunkAlerts" subject="Splunk Alert" message="The following Splunk Alert has been fired:"

When I run this search I receive the email. Is their something I'm missing in my configuration for the alerts? Any help that you can provide would be greatly appreciated.

1 Solution

jbouch03
Path Finder

I found the issue. It wasn't with Splunk or the mail relay. The external exchange server that we need to use (provided by our parent company) was marking it as spam. Still can't figure out why the manual search didn't get marked as spam, but the alert did; however, its working now. Thanks for all your help.

View solution in original post

jbouch03
Path Finder

I found the issue. It wasn't with Splunk or the mail relay. The external exchange server that we need to use (provided by our parent company) was marking it as spam. Still can't figure out why the manual search didn't get marked as spam, but the alert did; however, its working now. Thanks for all your help.

amanediel
Explorer

Hi @jbouch03,

How did you find this issue?

ppanchal
Path Finder

How did you identify that the external server was marking the email as spam. Is there a way we can search for all the spam marked emails in splunk?

the_wolverine
Champion

Check the ~/splunk/var/log/splunk/python.log which is where all the sendemail errors will be written.

Sir_SplunkALot
Engager

Thank you for this!! I was having the exact same issue and couldn't figure out why until I read this thread. Apparently the Splunk SH we were using wasn't setup to send mail in general. We tried another search head and it worked perfectly. This helped A LOT!

0 Karma

bkondakindi
Path Finder

have you configured mail servers on splunk side ?

check the alerts.conf file.

0 Karma

jbouch03
Path Finder

the alert_actions.conf is configured. Is there a separate .conf file that needs to be configured?

0 Karma

eholz1
Contributor

on splunk 7.3.1 there is no such thing as an alerts.conf file

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Anything suspicious in index=_internal source=*python.log?

0 Karma

jbouch03
Path Finder

As far as I can tell everything looks correct. I get the INFO statements but I don't see any ERROR or WARN flags.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...