An old trick used by some searches was to run:
| map search="| sendemail to=
This example is explained in the (old) answer How can I use a combination of map and sendemail to include spaces in the field values?
As of more recent Splunk versions this trick no longer works, this Q&A exists only to help others find this issue in there environments as I recently found it in production...(when the emails stopped sending).
I can confirm this trick does not work in 7.3.3, I believe it worked in 7.2.6 and possibly 7.3.0 but either way there are better solutions (see the answer below)
Effectively new Splunk versions no longer allow:
| sendemail ...
There must be more than zero results so one workaround is:
| makeresults | sendemail ...
However what I find is a nicer solution is sendresults on SplunkBase
To detect the usage of searches using the | map sendemail trick you may wish to use a REST endpoint and a regex such as:
| rest splunk_server=local "/servicesNS/-/-/saved/searches" count=0 f=search f=eai:* f=app
| regex search="(?s)\|\s*map\s+.*?((search\s*=\s*\"\s*\|?\s*sendemail)|(\[\s*\|?\s*sendemail))"
| table author, eai:acl.app, eai:acl.sharing, title, splunk_server, updated
If you found this useful please up-vote. If anyone knows the specific versions I can update the post with when this stopped working, support have advised this change was done on purpose and therefore it is not a bug.
Effectively new Splunk versions no longer allow:
| sendemail ...
There must be more than zero results so one workaround is:
| makeresults | sendemail ...
However what I find is a nicer solution is sendresults on SplunkBase
To detect the usage of searches using the | map sendemail trick you may wish to use a REST endpoint and a regex such as:
| rest splunk_server=local "/servicesNS/-/-/saved/searches" count=0 f=search f=eai:* f=app
| regex search="(?s)\|\s*map\s+.*?((search\s*=\s*\"\s*\|?\s*sendemail)|(\[\s*\|?\s*sendemail))"
| table author, eai:acl.app, eai:acl.sharing, title, splunk_server, updated
If you found this useful please up-vote. If anyone knows the specific versions I can update the post with when this stopped working, support have advised this change was done on purpose and therefore it is not a bug.