I observed an surprising Splunk behaviour creating a real-time alert for the following query:
index="thirdlane" sourcetype="asterisk_queue_log_*"
| TRANSACTION callid maxspan=10m startswith(event=ENTERQUEUE)
| SEARCH (event=EXITEMPTY OR event=AGENTDUMP OR event=EXITWITHKEY OR event=EXITWITHTIMEOUT OR event=ABANDON)
| REX "(?i)\|ENTERQUEUE\|.*?\|(?P<tlfnumber>.+)\|"
| TABLE _time tlfnumber queuename duration
When the alert condition is 'always', the received email contains an unexpected result (tlfnumber='' and duration=0).
Otherwise, when the alert condition is 'if number of events is greater than 0', the received email contains the expected result. But, when I edit the email action, Splunk displays the following message:
Unsupported Alert.
A real-time alert with a time range of all-time and a condition other than always is not supported.
It is recommended you change the time range of the alert to something other than Start Time 'rt' Finish Time 'rt' in Settings.
Is this the expected behaviour?
What is the explanation of this behaviour?
... View more