Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to troubleshoot real-time alerts not working?

splunkIT
Splunk Employee
Splunk Employee
‎12-19-2013 09:51 AM

Hello,
I am having a hard time trying to pin down why most of my real-time alerts have stopped working. I have looked into scheduler.log and python.log, and did not find much insightful details to the problem. Here are the symptoms:

  1. Only real-time alerts are not appearing to fire
  2. Non-realtime alerts appear to be fine as I am still getting alert emails
  3. Once splunk is restarted, some rt alerts appear to be firing; then eventually stopped
Reply
1 Solution
Solved! Jump to solution
Solution

uuppuluri_splun
Splunk Employee
Splunk Employee
‎12-19-2013 10:12 AM

Please follow the steps below to debug this issue:

1.) Backup and edit $SPLUNK_HOME/etc/log.cfg and locate the following entry:

category.SavedSplunker=INFO,scheduler

2.) change the INFO key to DEBUG (ie. category.SavedSplunker=DEBUG,scheduler)
3.) save the changes and restart splunk

4.) try to generate an event that should trigger an alert, but not happening.

5.) the debug messages (with diagnostics) should be written into $SPLUNK_HOME/var/log/splunk/scheduler.log

6) Identify the root cause, fix it and revert back the changes made in step 2 and restart Splunk to get rid of the DEBUG messages that you hopefully don't need any more

Hope This Helps!

View solution in original post

Reply
Solved! Jump to solution

salem34
Path Finder
‎03-01-2017 06:56 AM

Same situation, what was the solution for you here?

0 Karma
Reply
Solved! Jump to solution
Solution

uuppuluri_splun
Splunk Employee
Splunk Employee
‎12-19-2013 10:12 AM

Please follow the steps below to debug this issue:

1.) Backup and edit $SPLUNK_HOME/etc/log.cfg and locate the following entry:

category.SavedSplunker=INFO,scheduler

2.) change the INFO key to DEBUG (ie. category.SavedSplunker=DEBUG,scheduler)
3.) save the changes and restart splunk

4.) try to generate an event that should trigger an alert, but not happening.

5.) the debug messages (with diagnostics) should be written into $SPLUNK_HOME/var/log/splunk/scheduler.log

6) Identify the root cause, fix it and revert back the changes made in step 2 and restart Splunk to get rid of the DEBUG messages that you hopefully don't need any more

Hope This Helps!

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...