Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

A difficult question,How to create an alert on a Splunk cluster?

xsstest
Communicator
‎04-11-2017 11:14 PM

Hi at all,
I created a Splunk cluster, created an alert on the main search, but I could not find it in the alert,
I click "alert" on the navigation bar,It has been constantly in the refresh, Why is this so?
I still have a question:
When I setting "cron" in the alert,I want to run every minute, set */1**** or * /1 * * * * or * /1 * * * on cron,When prompted to save cron format error.
So how can i set up every minute to run on cron? What is the format

Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

xsstest
Communicator
‎05-04-2017 07:11 PM

The reason is that I did not create an alert on the main search head. If I create an alert on the main search header, the other search head will not show these errors. And will synchronize the alert.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

xsstest
Communicator
‎05-04-2017 07:11 PM

The reason is that I did not create an alert on the main search head. If I create an alert on the main search header, the other search head will not show these errors. And will synchronize the alert.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-12-2017 12:01 AM

To run a search every minute, use * * * * * as the cron schedule.

As for your other question, what exactly have you set up, where are you saving your alert, and where are you looking for it?
Did you set up an indexer cluster? A search head cluster?

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-13-2017 12:54 AM

You can sign up for slack here: http://splk.it/slack

~2100 users registered 🙂

@martin_mueller - I edited to update the link - Liz

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-13-2017 12:24 AM

In an indexer cluster or a search head cluster?

If indexer cluster, are you talking about the cluster master? About a dedicated search head searching the cluster's peers?
If search head cluster, are you talking about the captain? The deployer?

0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎04-16-2017 06:52 PM

I have already registered(https://splunk-usergroups.signup.team/), may you approve my registration request? Thank you

0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎04-13-2017 12:41 AM

I do not understand what you mean, do you have an email contact or Facebook, i would like to ask you some questions about Splunk

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-12-2017 05:00 AM

What do you mean by "main search"? I'm still unsure about what exactly you have set up, where you are saving your alert, whether you're on an indexer cluster, a search head cluster, etc.

0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎04-13-2017 12:41 AM

I do not understand what you mean, do you have an email contact or Facebook, i would like to ask you some questions about Splunk

0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎04-12-2017 06:32 PM

Sorry, I am from China, so my English level is normal. This "main search" means the master search server in cluster

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-12-2017 02:28 AM

This feels like a bigger thing, is the rest of Splunk working normally?

0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎04-12-2017 06:43 PM

I want to create an alert on search server in my cluster. But I can not find the alert after I created it。So I click "Alerts" on the navigation bar , it has been refreshed and no alerts are displayed,In Settings-> KNOWLEDGE -> Searches, reports, and alerts .As above,Show error “Client is not authenticated” .

0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎04-12-2017 03:46 AM

Yes. Other work is normal。

Do you know why you can not create an alert on the Main search?

0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎04-12-2017 01:38 AM

alt text

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎04-13-2017 05:15 AM

Are you using a load balancer (f5?) in front of your search head cluster?

- MattyMo
0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎04-13-2017 06:01 AM

Not used, why do you think so? The current cluster architecture is: three search servers, three index nodes, a master index node, and a deployment server and DMC.when I create alert on search server,I can not find the alert have created.

0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎04-13-2017 06:02 AM

show error:“Client is not authenticated”? why ?Should i check where?

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎04-13-2017 06:32 AM

so the 3 search servers (Search Heads) are not clustered?

http://docs.splunk.com/Documentation/Splunk/6.5.3/DistSearch/SHCdeploymentoverview

- MattyMo
0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎04-12-2017 01:40 AM

I can not find the main search I have created the alert, suggesting that "client is not authenticated"

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...