Solved: Re: Alert Email Address doesn't allow our domain

p8atsgsasd · ‎02-27-2014

When attempting to create an alert with an email notification we receive the error one of the email address in 'action.email.to' is invalid. It appears this is because of the domain we are using since as an example john.smith@example.com works vs. john.smith@example.h5 does not work.

There was another question raised similar to this with the answer being to upgrade to version 4.2.3 however we are running version 4.3. Is there another patch we need to install for this to work or can we edit a file?

martin_mueller · ‎02-28-2014

In Splunk 6 (likely also in earlier versions) the validation expression for email addresses is defined in the [validation:savedsearch] stanza of restmap.conf - you can overwrite that as usual in etc/system/local/restmap.conf to also allow your custom domains. Originally Splunk expects the TLD to match [a-z]{2,}.

View solution in original post

cam343 · ‎05-18-2014

I created the following file: $SPLUNK_HOME/etc/system/local/restmap.conf
With the contents:

[validation:savedsearch]
action.email.to          = validate( match('action.email.to',  "(?i)^((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(?:^[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{1,4}$)|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$))(?:\s*[,;]\s*((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$)))*$"), "One of the email addresses in 'action.email.to' is invalid")
action.email.cc          = validate( match('action.email.cc',  "(?i)^((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(?:^[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{1,4}$)|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$))(?:\s*[,;]\s*((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$)))*$"), "One of the email addresses in 'action.email.cc' is invalid")
action.email.bcc         = validate( match('action.email.bcc',  "(?i)^((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(?:^[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{1,4}$)|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$))(?:\s*[,;]\s*((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$)))*$"), "One of the email addresses in 'action.email.bcc' is invalid")

This has the addition of this regex: ^[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{1,4}$

Goto http://www.regexr.com/ to test what it matches for you.

martin_mueller · ‎02-28-2014

In Splunk 6 (likely also in earlier versions) the validation expression for email addresses is defined in the [validation:savedsearch] stanza of restmap.conf - you can overwrite that as usual in etc/system/local/restmap.conf to also allow your custom domains. Originally Splunk expects the TLD to match [a-z]{2,}.

tweaktubbie · ‎06-02-2015

Just curious, the other way around, can this stanza be somehow used to ONLY allow to send to mail-adresses on @mydomain.com and @my-domain.com? It now seems that anyone can send output worldwide from the search bar?

p8atsgsasd · ‎02-28-2014

You were correct, the restmap.conf file did have this configuration. Further for future knowledge to help someone else hopefully, the regex I used was (?i)^(?:[^@\s]+@(?:[^@\s.]+\.)+[a-z0-9]{2,})(?:\s*[,;]\s*(?:[^@\s]+@(?:[^@\s]+\.)+[a-z0-9]{2,}))*$

Alert Email Address doesn't allow our domain

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk