Alerting

Simple alert not working?

pkurt
Path Finder

Hello,

I think this should be a very simple question, but I do not see what I am doing wrong.

I am new to Splunk, and am trying to learn alerting using the trial version of Splunk Enterprise 6.2.3. I have imported a dummy JSON dataset. It is indexed ok. And I can do easy searches and timecharts. I want to do a test alert as well, which does not work. Here are the steps that I take.

1) I do a normal search on my indexed data, which works fine. It returns 8 events.
2) I want to try alerting on this search in an obvious way. I go to "save as" and select "alert". I select a "scheduled" alert, and I pick an hourly or a cron schedule. I then select "trigger if number of results is greater than" 1. I then select to have the alert e-mailed to me at my normal address.
3) Splunk warns me that the alert will only last until the trial version of the software expires, then it takes me to a screen that says "There are no fired events for this alert".

I do not see anything that I am doing wrong. Does anyone have any ideas? Is it possible that alerts do not work in the trial version? Does my data need to be streaming to work (I am just using some static data that I uploaded)? Any other thoughts would be greatly appreciated.

Tags (2)
0 Karma

pkurt
Path Finder

Hi again,

I simulated some mock data and I am streaming it to splunk in real time to be able to test the alerting feature.
I can monitor the streaming data in splunk and i can see it is updating in real time. But I still can not trigger any event for my simple alert requirement where I ask if my search result is greater than 1.

I can not think of anything else to try. Any suggestion is greatly appreciated.

0 Karma

fdi01
Motivator

1- The trial license includes alerting, it's the free license beyond those sixty days that doesn't. As long as you have an Alert link in the top right corner you're good.
2- try to Accelerate this search
3- As for your actual alert, make sure the condition you specified actually is met for the search results. and Alert type, Time Range, Schedule On .... at ....
Without your alert definitions and data I can't guess more.

0 Karma

gyslainlatsa
Motivator

hi,
the alert may be triggered if in the time interval that you set for the search we can have more than one result. and if after this time interval, there is no result, it is likely that you may have this message.
for more information on alerts, follow this link:

http://docs.splunk.com/Documentation/Splunk/6.2.3/Alert/Definescheduledalerts

0 Karma

pkurt
Path Finder

Thank you very much to all of you for your quick responses. I really appreciate it.
I was not aware that I needed streaming data to do this.

0 Karma

MichaelPriest
Communicator

Splunk will only alert on the data that comes in, and as the data gets into Splunk the alert is then applied, so if you have static data i.e no live data the alert won't work

0 Karma

pkurt
Path Finder

Thank you very much for the clarification!
It was not clear at all from the tutorials that I have watched.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...