Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why do I see no triggered alerts for an alert that should definitely be triggering an alert?

leejeason
Engager
‎12-14-2015 01:53 PM

I have a simple search:

sourcetype=iis sc_status=500

The search returns results. I saved the search as an alert. The alert is cron scheduled to run every minute (Earliest: -1m@m, Cron Expression: */1 * * * *). The only condition on the alert is that results must be greater than 0.

When I open the alert in search, it gives results. When I look at the jobs page, I clearly see it running the alert search. Further, the jobs page clearly shows that many of these entries have positive result counts. When I inspect the job, I see the alert settings all look valid and resultCount is indeed a positive number.

However, the triggered alerts page shows nothing - not a single entry there. So what am I missing? Any tips on how to troubleshoot something like this?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

frobinson_splun
Splunk Employee
Splunk Employee
‎12-14-2015 03:58 PM

Hi @leejeason,
Did you happen to set up the "Add to Triggered Alerts" alert action, for this particular alert? Or other alert actions? If not, this might explain some of the behavior you're seeing. If the "add to triggered alerts" action is not enabled, then the alert triggering instances won't be listed on the "Triggered Alerts" page.

Here is some documentation that might help:
http://docs.splunk.com/Documentation/Splunk/6.3.1/Alert/Triggeredalertaction
http://docs.splunk.com/Documentation/Splunk/6.3.1/Alert/Reviewtriggeredalerts

Let me know if you have other questions or are still seeing this behavior after double-checking alert action configuration.
@frobinson_splunk

View solution in original post

Reply
Solved! Jump to solution
Solution

frobinson_splun
Splunk Employee
Splunk Employee
‎12-14-2015 03:58 PM

Hi @leejeason,
Did you happen to set up the "Add to Triggered Alerts" alert action, for this particular alert? Or other alert actions? If not, this might explain some of the behavior you're seeing. If the "add to triggered alerts" action is not enabled, then the alert triggering instances won't be listed on the "Triggered Alerts" page.

Here is some documentation that might help:
http://docs.splunk.com/Documentation/Splunk/6.3.1/Alert/Triggeredalertaction
http://docs.splunk.com/Documentation/Splunk/6.3.1/Alert/Reviewtriggeredalerts

Let me know if you have other questions or are still seeing this behavior after double-checking alert action configuration.
@frobinson_splunk

Reply
Solved! Jump to solution

leejeason
Engager
‎12-15-2015 05:40 AM

Yep, that was it! I simply missed that there was an explicit action to do that and just assumed they'd end up there automatically. Thanks so much for the clarification!

Reply
Solved! Jump to solution

frobinson_splun
Splunk Employee
Splunk Employee
‎12-15-2015 10:20 AM

Oh, glad this helped!
Cheers,
@frobinson_splunk

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...