Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I still receiving alerts from Splunk even after disabling them?

AzmathShaik
Path Finder
‎02-03-2017 09:02 AM

Hi,

i am using Splunk 6.4.3. i have configured real-time alerts to verify. once it is done, i have disabled and deleted savedsearches.conf from the search head but still am getting alerts from Splunk. can anyone help on how to get rid of alerts?

0 Karma
Reply

dilsheer
New Member
‎06-22-2018 06:26 AM

is there any way to disable the real time alert option permanently??

0 Karma
Reply

woodcock
Esteemed Legend
‎02-21-2017 06:51 PM

How are you determining that alerts are still firing? Let's say that you have the alert send you an email. Email is VERY laggy and it is possible that there are thousands of oustanding emails that, had the volume been slower/smaller, should have already been delivered, but because you were flooding emails, systems inbetween in the MTA chain are throttling delivery. You may see email for weeks to come that were sent BEFORE you turned off the alert. You can go to your Search Head and do this:

find $SPLUNK_HOME -name "savedsearches.conf"

Then look inside every file that you find and make SURE that anything like your search has disabled=1.

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎02-03-2017 12:48 PM

The real-time saved searches never stop running, so did you kill those searches after you deleted the savedsearches.conf entry? From the search head servers, you can do (for linux) psef splunk and see any process running for those real-time searches. If found, kill them.

0 Karma
Reply

AzmathShaik
Path Finder
‎02-03-2017 01:14 PM

i did ps -ef | grep splunk.

i could not find any process running with my savedsearches name.

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎02-03-2017 01:19 PM

It'll not be with your saved search name, there may be process which contains rt_ keyword and may have very old start time.

0 Karma
Reply

AzmathShaik
Path Finder
‎02-03-2017 02:20 PM

yeah i did check that but i could not find any process running.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-03-2017 09:33 AM

Are you saying you modified the savedsearches.conf file from the command line? If so, did you also refresh or start Splunk? Most command line changes don't take effect until refresh/restart.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

AzmathShaik
Path Finder
‎02-03-2017 09:35 AM

yeah i did restart splunk. but still am getting lot of alerts

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-03-2017 10:23 AM

Did you modify the right file? Do the searches still appear in the GUI?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

AzmathShaik
Path Finder
‎02-03-2017 12:25 PM

No There are no alerts or savaedsearches i can see in GUI

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...