I've noticed an issue with Splunk where a scheduled report stops sending emails when a member of the email notification list leaves the company. The entire report stops sending and issues no alert or notification to the report owner. There are some cases where reports go to only a few members of various teams, in which case Distribution Lists are not used, and the report owner may not be notified that an employee is leaving.
Is there a way to either A. Get an alert issued to the report owner when a scheduled report fails to send or B. Have the report continue to send to the valid emails on the list rather than fail?
There should be a message in splunkd.log when email cannot be sent. Try alerting on index=_internal sourcetype=splunkd sendemail
.
There should be a message in splunkd.log when email cannot be sent. Try alerting on index=_internal sourcetype=splunkd sendemail
.
That's exactly what I needed thank you!