Alerting

Email alerts aren't triggering in schedule search !

Kaushikkatta03
Explorer

Hi Everyone ,

We have set schedule search with conditions
Scheduled Type= Cron : 0 */12 * * * .
Alert type : Always
Alert Mode : One per Each
Which should be triggered for 3 mail ids
Now the problem is the email alerts aren't coming . If we run the query we are getting the reports and exact required no fault in the query and more over i tried by setting "Basic" with 1 min time stamp to my mail id . I'm getting the alerts accordingly, But when we do the same with the above schedule type the email alerts aren't triggering . Can anyone help in this

Thanks in advance.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi Kaushikkatta03,
there could be a problem if your results are large and they exceed the maximum dimension of eMail body or attachment.
try to unset all the settings in your eMail.
Bye.
Giuseppe

0 Karma

Kaushikkatta03
Explorer

Hello Cusello ,

I have unchecked all the settings in the email , let me check by tomorrow and confirm you again on this

Thanks
Kaushik Katta

0 Karma

cmerriman
Super Champion

what schedule are you trying to get this on? every 12 hours?

0 Karma

Kaushikkatta03
Explorer

Even i tried setting with basic for every 12 hours , it should be triggered still we haven't got the mail alert. I tried by doing basic 1 min with only mail ID i'm receiving the mail alerts.

0 Karma

cmerriman
Super Champion

if you change your cron to 0 */12 * * * does that help?

0 Karma

niketn
Legend

Just to be sure that email exchange is setup and Splunk is able to send emails, have you tested any existing Dashabord/Report for scheduled PDF delivery by email Export > Schedule PDF Delivery > Check the Schedule PDF check box and after filling Email To, click Send Test Email at the bottom. If the email delivers fine it implies email exchange on Splunk server is setup properly and is not blocked by network.

If you feel your cron schedule has issue, you can test your cron expressions through online utility. Cron expression provided bby cmerriman is correct i.e. 0 */12 * * * runs every 12 hours.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Kaushikkatta03
Explorer

Hi Niketnilay,

We have another scheduled Report set with the PDF , we are going good with that daily mail reports are generating without fail , i have set cron once again as you people mentioned let me check for 2 days as i created a new search in test environment , If everything is going good than its fine . I will confirm you after the alert triggers with the cron search

Thanks
Koushik

0 Karma

Kaushikkatta03
Explorer

yes the cron is set for every 12 hrs.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...