Alerting

Simple alert not working?

pkurt
Path Finder

Hello,

I think this should be a very simple question, but I do not see what I am doing wrong.

I am new to Splunk, and am trying to learn alerting using the trial version of Splunk Enterprise 6.2.3. I have imported a dummy JSON dataset. It is indexed ok. And I can do easy searches and timecharts. I want to do a test alert as well, which does not work. Here are the steps that I take.

1) I do a normal search on my indexed data, which works fine. It returns 8 events.
2) I want to try alerting on this search in an obvious way. I go to "save as" and select "alert". I select a "scheduled" alert, and I pick an hourly or a cron schedule. I then select "trigger if number of results is greater than" 1. I then select to have the alert e-mailed to me at my normal address.
3) Splunk warns me that the alert will only last until the trial version of the software expires, then it takes me to a screen that says "There are no fired events for this alert".

I do not see anything that I am doing wrong. Does anyone have any ideas? Is it possible that alerts do not work in the trial version? Does my data need to be streaming to work (I am just using some static data that I uploaded)? Any other thoughts would be greatly appreciated.

Tags (2)
0 Karma

pkurt
Path Finder

Hi again,

I simulated some mock data and I am streaming it to splunk in real time to be able to test the alerting feature.
I can monitor the streaming data in splunk and i can see it is updating in real time. But I still can not trigger any event for my simple alert requirement where I ask if my search result is greater than 1.

I can not think of anything else to try. Any suggestion is greatly appreciated.

0 Karma

fdi01
Motivator

1- The trial license includes alerting, it's the free license beyond those sixty days that doesn't. As long as you have an Alert link in the top right corner you're good.
2- try to Accelerate this search
3- As for your actual alert, make sure the condition you specified actually is met for the search results. and Alert type, Time Range, Schedule On .... at ....
Without your alert definitions and data I can't guess more.

0 Karma

gyslainlatsa
Motivator

hi,
the alert may be triggered if in the time interval that you set for the search we can have more than one result. and if after this time interval, there is no result, it is likely that you may have this message.
for more information on alerts, follow this link:

http://docs.splunk.com/Documentation/Splunk/6.2.3/Alert/Definescheduledalerts

0 Karma

pkurt
Path Finder

Thank you very much to all of you for your quick responses. I really appreciate it.
I was not aware that I needed streaming data to do this.

0 Karma

MichaelPriest
Communicator

Splunk will only alert on the data that comes in, and as the data gets into Splunk the alert is then applied, so if you have static data i.e no live data the alert won't work

0 Karma

pkurt
Path Finder

Thank you very much for the clarification!
It was not clear at all from the tutorials that I have watched.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...