Alerting

Alert Not Triggering

irangapw
New Member

Hi All,

I'm very new to SPLUNK and was trying to generate the email alerts for the search.

When i do the same search in the "Search & Reporting" it's giving me the results where as i configure an alert for the same but it's returning me 0 events.

Search:
source="C:\TestSplunklog.log" host="" index="boxtypereal" sourcetype="boxtype_real" "** ABL Debug-Alert Stack Trace **"

Alert:alt text

Thanks.

0 Karma

woodcock
Esteemed Legend

Do you really mean returning 0 events or do you mean not creating alerts? If the latter, did you add the Alert Action called Add to Triggered Alerts`? Also, for email to gmail, go here:

https://answers.splunk.com/answers/38624/how-to-configure-email-alert-using-gmail-smtp.html

0 Karma

woodcock
Esteemed Legend

Check for errors like this:

index=_* (ERR* OR FAIL* OR WARN* OR CANNOT) (email OR sendemail)
0 Karma

woodcock
Esteemed Legend

Things to check:

What is the timepicker in the saved search?
Who is the search `running as` (the owner of the search or the system)?
Maybe emails don't work; have you tested with `| makeresults | eval ... | sendemail`?
Maybe emails don't work; have you tested with the `Add to Triggered Alerts` action?
Maybe you would like an email every time the alert runs (whether or not it has any results) and you have your alert set to `Once for Each Result` instead of `Digest`.  In the former case, it will not fire for `number of results equals 0`, but i the latter case it will.

gcusello
SplunkTrust
SplunkTrust

Hi irangapw,
At first check the time range and remember that you can change it only in the alert window.
Then check the quotes (some of them aren't mandatory!) and the source value.
Then check if in the same selected time range there are results (for this test don't use dinamic values as erarliest and latest but a fixed value: e.g. earliest=-2h@h latest=-h@h.

Bye.
Giuseppe

0 Karma

irangapw
New Member

Hi Giuseppe,
i will add the time range to the search in the alert and check.
Thanks.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Ok,
if you're satisfied of this answer, please accept and/or upvote it.
bye.
Giuseppe

0 Karma

irangapw
New Member

Hi Giuseppe,
I updated the search string as follows.

source="TestSplunklog2.log" sourcetype="TestLog2" " ABL Debug-Alert Stack Trace " earliest=-3d@d latest=-h@h

It gives me the results as 23 events when i open it in the search. But i'm still not getting the email.
Below is the alert configurations:
Alert-01
Enabled: Yes. Disable
App: search
Permissions:Private. Owned by admin. Edit
Modified:5 Jul 2019 09:32:15
Alert Type:Scheduled. Hourly, at 45 minutes past the hour. Edit
Trigger Condition:Number of Results is > 0. Edit
Actions:1 Action Send email

** I checked the "scheduler.log" and it has below entry for my alert.
07-05-2019 09:45:07.195 +0530 INFO SavedSplunker - savedsearch_id="admin;search;Alert-01", search_type="scheduled", user="admin", app="search", savedsearch_name="Alert-01", priority=default, status=success, digest_mode=1, scheduled_time=1562300100, window_time=0, dispatch_time=1562300100, run_time=0.298, result_count=23, alert_actions="email", sid="scheduler_adminsearch_RMD5a4aa4f0eb0032e9c_at_1562300100_11", suppressed=0, thread_id="AlertNotifierWorker-0", workload_pool=""

But i did not get any email.

Thanks.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi irangapw,
let me understan: this is the only alert that has problems or all the alerts doesn't send eMail?
In first case, we continue to debug the alert, otherwise we try to understand if there are problems in eMail configuration.
Anyway, in alert's actions set also "add to triggered alerts", in this way you can see if the problem is on alert or on eMail [Activity -- Triggered alerts].
If alert is correctly triggered, you have, at first, to check the eMail configuration [Settings -- Server Settings -- eMail settings] and then search in _internal index if there are error messages.

Bye.
Giuseppe

0 Karma

irangapw
New Member

Hi Giuseppe,
As you mentioned i added the alert's action to "Add to triggered alerts" and now i can see the entries of my alert. Seems some issue with my email configurations.
I didn't add any specific configurations there. If my email is gmail one, do i need to modify the configurations.

Thanks.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi irangapw,
ok, let me know if you've solved it.
Bye.
Giuseppe

0 Karma

irangapw
New Member

Hi,
I followed the steps given in below link to configure the email settings. But i still don't get the email. Will you be able to help me with it.
https://splunkonbigdata.com/2018/09/03/how-to-configure-email-alerting-using-gmail-smtp-in-splunk/

Find below my configurations:
Mail Host - smtp.gmail.com:587
Email security - TLS
Username - email@gmail.com
Password - email password

Thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi irangapw,
at first check if the used ports are correctly opened, try using telnet smtp.gmail.com 587
then are you sure that username is email@gmail.com and not email ?

Bye.
Giuseppe

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@irangapw,

are you using same "time range" in both search window and alert ?

Happy Splunking!
0 Karma

irangapw
New Member

Hi, i have specified the time in the "Time Range Picker" and its the same time range.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...