Alerting

what's the correct format for multiple email addresses in an alert?

brettcave
Builder

If I run a manual search and then create an alert, modal dialog wizard that walks me through the alert setup requests a semi-colon seperated list of email addresses. However, when editing an alert via the manager, the help text under the email recipient box says a comma-seperated list.

Are both compatible? I am busy trying to troubleshoot why some alerts are not being sent by our splunk server, and it seems to be alerts with multiple email addresses that are breaking.

Where could I get SMTP logs from the server? What other factors might be breaking SMTP alerts from coming through? I have tried both ";" and "," in the alert, and am still not receiving the alert. The search is a real-time search (earliest = "rt" and latest="rt"), and if I run the search manually in real-time I see results coming up.

Tags (2)
1 Solution

wrangler2x
Motivator

On linux you can find records of the mailings in

/opt/splunk/var/log/splunk/python.log

Looking like this at the start:

2013-08-19 12:01:08,402 INFO Sending email. subject=<snip!>

You may use either commas or semicolons to separate entries in the recipients list.

View solution in original post

brettcave
Builder

yannk - I opened a new question that's more relevant - http://answers.splunk.com/answers/99747/real-time-alerts

0 Karma

brettcave
Builder

Are you saying that when I create a search, neither of "Monitor in real-time over rolling window of..." and "Trigger in real-time whenever a result matches" should be used?

0 Karma

brettcave
Builder

Thanks for the advice. I am refactoring a number of our rt alerts, will run on an hourly schedule. The alert I have was working, and stopped a month ago. The parameters have not changed.

0 Karma

wrangler2x
Motivator

On linux you can find records of the mailings in

/opt/splunk/var/log/splunk/python.log

Looking like this at the start:

2013-08-19 12:01:08,402 INFO Sending email. subject=<snip!>

You may use either commas or semicolons to separate entries in the recipients list.

brettcave
Builder

thanks. its not the emailing that's the problem, must be the alert.

0 Karma

yannK
Splunk Employee
Splunk Employee

Remark : never use realtime alltime alerts (rt rt), they are very costly in resource and build up memory.

Change your script to just log a line when it's called. the problem may be the argument passing.

0 Karma

brettcave
Builder

Seems like the problem is actually in the alert - I have tracking enabled, and if I create events that should trigger the alert, they are not showing in the alert manager either.

I have tried restarting the Splunk server, and it's still not working.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...