I'm trying to use the Splunk CLI to send out an email using the following search:
/opt/splunk/bin/splunk search "host=192.168.0.173 source="/var/log/secure" for * from * earliest=-59m latest=now | sendemail to="jared99@gmail.com" format="html" server=smtp.gmail.com:587 use_tls=1"
I have tested the first part of the command (before the '|' pipe) and it definitely works. However, it seems like no email is actually being sent.
Upon inspecting /opt/splunk/var/log/splunk/python.log, I see the following error:
2019-01-21 16:55:37,975 +0800 ERROR sendemail:1341 - 'action.email.sendresults'
Inspecting /opt/splunk/etc/apps/search/bin/sendemail.py only reveals that the region around line number 1341 contains the following code:
1326 def getAlertActions(sessionKey):
1327 settings = None
1328 try:
1329 settings = entity.getEntity('/configs/conf-alert_actions', 'email', sessionKey=sessionKey)
1330
1331 logger.debug("sendemail.getAlertActions conf file settings %s" % settings)
1332 except Exception as e:
1333 logger.error("Could not access or parse email stanza of alert_actions.conf. Error=%s" % str(e))
1334
1335 return settings
1336
1337 results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults()
1338 try:
1339 results = sendEmail(results, settings)
1340 except Exception, e:
1341 logger.error(e)
1342 splunk.Intersplunk.outputResults(results)
Would appreciate if anyone could shed some light on how to get this working. Many thanks in advance!
You should find more details in splunkd.log and in the search log (via Job Inspector).