- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- what's the correct format for multiple email addre...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I run a manual search and then create an alert, modal dialog wizard that walks me through the alert setup requests a semi-colon seperated list of email addresses. However, when editing an alert via the manager, the help text under the email recipient box says a comma-seperated list.
Are both compatible? I am busy trying to troubleshoot why some alerts are not being sent by our splunk server, and it seems to be alerts with multiple email addresses that are breaking.
Where could I get SMTP logs from the server? What other factors might be breaking SMTP alerts from coming through? I have tried both ";" and "," in the alert, and am still not receiving the alert. The search is a real-time search (earliest = "rt" and latest="rt"), and if I run the search manually in real-time I see results coming up.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On linux you can find records of the mailings in
/opt/splunk/var/log/splunk/python.log
Looking like this at the start:
2013-08-19 12:01:08,402 INFO Sending email. subject=<snip!>
You may use either commas or semicolons to separate entries in the recipients list.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yannk - I opened a new question that's more relevant - http://answers.splunk.com/answers/99747/real-time-alerts
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you saying that when I create a search, neither of "Monitor in real-time over rolling window of..." and "Trigger in real-time whenever a result matches" should be used?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the advice. I am refactoring a number of our rt alerts, will run on an hourly schedule. The alert I have was working, and stopped a month ago. The parameters have not changed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On linux you can find records of the mailings in
/opt/splunk/var/log/splunk/python.log
Looking like this at the start:
2013-08-19 12:01:08,402 INFO Sending email. subject=<snip!>
You may use either commas or semicolons to separate entries in the recipients list.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks. its not the emailing that's the problem, must be the alert.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Remark : never use realtime alltime alerts (rt rt), they are very costly in resource and build up memory.
Change your script to just log a line when it's called. the problem may be the argument passing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seems like the problem is actually in the alert - I have tracking enabled, and if I create events that should trigger the alert, they are not showing in the alert manager either.
I have tried restarting the Splunk server, and it's still not working.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
