I have saved searches and all of a sudden with no changes they are returning this error to the python.log file.
ERROR Error in 'sendemail': (128, 'Network is unreachable') while sending mail to: user@user.com
I checked manually and i can send an email from this server to myself just splunk isnt able to send emails and im not sure how to resolve this issue. I can telnet over 25 to my mailhost so this has to be something simple to do with splunk itself.
Any help is appreciated.
In splunk terminology, searches that are scheduled and send emails, are alerts. The email sender is saying it cannot access your mail server. The alert_actions config screen is where you say how for it to reach your mailserver.
There is no alert_actions.conf file as im not using alerts but im only running saved searches every morning but not alerts.
Also what is the usage for the sendemail.py command as when i run it it get this:
import: Unable to connect to X server ().
import: Unable to connect to X server ().
/opt/splunk/etc/searchscripts/sendemail.py[4]: from: not found
import: Unable to connect to X server ().
/opt/splunk/etc/searchscripts/sendemail.py[8]: importanceMap: not found
/opt/splunk/etc/searchscripts/sendemail.py[9]: highest:: not found
Hi,
Have you done the right settings at this page? http://lxs-monet:8000/en-US/manager/unix/configs/conf-alert_actions/email/?action=edit
Make sure that you entered an VALID sender-email adress. With valid, I mean: [somename]@[somedomain].com Somename doesn't have to be a valid name (at my configuration) Mine email function did not work until I changed the sender-adress.. 😉
If you never configured alert_actions, sendemail would try to connect to localhost, port 25, to send the email. It's possible something about your netwrorking configuration or environment has changed. It seems quite likely though that configuring the alert_actions as in the above url (but using your splunk server) will resolve the issue.
I cannot get to that website you posted and also in the saved search box i dont have a field for "From" or "Sender" But i must say that my saved searches have worked for 1yr then all of a sudden stopped with that error i put in the original post.
What host is set in $SPLUNK_HOME/etc/system/local/alert_actions.conf
in the [email]
stanza. The host is set with hostname=<hostname>
Have you tried running the sendemail
command manually? I'm guessing that you are using the scheduled saved searched with email alerting? If you are running on a unix OS with a local MTA, then you may want to forward your email to localhost and let your local MTA handle there rest (this will give you a small buffer if you do experience a temporary network outage)