https://community.splunk.com/t5/Security/Log-Event-Alert-Action-not-visible-when-creating-alert/m-p/451128#M10540 <P>Hi All,</P> <P>I am creating an alert in an app which I have made using the add-on builder, my app name starts with SA-. As part of the alert I would like to use the log event trigger action. For some reason when I am in the context of my app I am unable to see this trigger action option. In the context of other apps such as search and other Splunk apps downloaded from splunk base I am able to see the log event trigger action.</P> <P>under settings&gt;alert actions I have confirmed the log event alert action has been shared globally.<BR /> Confirmed default.metadata in the alert_logevent app:</P> <PRE><CODE>[alert_actions] export = system </CODE></PRE> <P>Confirmed my app is also shared globally.</P> <P>I've made the alert_logevent app visible which did not work.</P> <P>Tried renaming the app to remove the SA-</P> <P>If I go to settings&gt;searches,report and alerts&gt;new alert. Then create the alert from the context of my app, I am now able to see the alert action but when it runs I get the following error</P> <PRE><CODE>ERROR SearchScheduler - Error in 'sendalert' command: Alert action "logevent" not found., search='sendalert logevent results_file="/opt/splunk/var/run/splunk/dispatch/scheduler__nobody_U0EtZGFya21hdHRlci10aHJlYXQtZGV0ZWN0aW9u__6005_at_1565846400_1262_27223330-DB35-4A3A-8767-873F2404D37B/per_result_alert/tmp_5.csv.gz" results_link="https://splunkserver:8000/app/app_name/app_name?q=|loadjob scheduler__nobody_U0EtZGFya21hdHRlci10aHJlYXQtZGV0ZWN0aW9u__6005_at_1565846400_1262_27223330-DB35-4A3A-8767-873F2404D37B | head 6 | tail 1&amp;earliest=0&amp;latest=now"' 08-15-2019 09:20:02.390 +0400 INFO sendmodalert - Invoking modular alert action=logevent for search="6005" </CODE></PRE> <P>I feel like it is a permission issue but not sure what else I can change.</P> <P>Splunk Enterprise V7.0 and also on V7.1.3</P> Thu, 15 Aug 2019 08:53:03 GMT dsofoulis 2019-08-15T08:53:03Z https://community.splunk.com/t5/Security/Log-Event-Alert-Action-not-visible-when-creating-alert/m-p/451128#M10540 <P>Hi All,</P> <P>I am creating an alert in an app which I have made using the add-on builder, my app name starts with SA-. As part of the alert I would like to use the log event trigger action. For some reason when I am in the context of my app I am unable to see this trigger action option. In the context of other apps such as search and other Splunk apps downloaded from splunk base I am able to see the log event trigger action.</P> <P>under settings&gt;alert actions I have confirmed the log event alert action has been shared globally.<BR /> Confirmed default.metadata in the alert_logevent app:</P> <PRE><CODE>[alert_actions] export = system </CODE></PRE> <P>Confirmed my app is also shared globally.</P> <P>I've made the alert_logevent app visible which did not work.</P> <P>Tried renaming the app to remove the SA-</P> <P>If I go to settings&gt;searches,report and alerts&gt;new alert. Then create the alert from the context of my app, I am now able to see the alert action but when it runs I get the following error</P> <PRE><CODE>ERROR SearchScheduler - Error in 'sendalert' command: Alert action "logevent" not found., search='sendalert logevent results_file="/opt/splunk/var/run/splunk/dispatch/scheduler__nobody_U0EtZGFya21hdHRlci10aHJlYXQtZGV0ZWN0aW9u__6005_at_1565846400_1262_27223330-DB35-4A3A-8767-873F2404D37B/per_result_alert/tmp_5.csv.gz" results_link="https://splunkserver:8000/app/app_name/app_name?q=|loadjob scheduler__nobody_U0EtZGFya21hdHRlci10aHJlYXQtZGV0ZWN0aW9u__6005_at_1565846400_1262_27223330-DB35-4A3A-8767-873F2404D37B | head 6 | tail 1&amp;earliest=0&amp;latest=now"' 08-15-2019 09:20:02.390 +0400 INFO sendmodalert - Invoking modular alert action=logevent for search="6005" </CODE></PRE> <P>I feel like it is a permission issue but not sure what else I can change.</P> <P>Splunk Enterprise V7.0 and also on V7.1.3</P> Thu, 15 Aug 2019 08:53:03 GMT https://community.splunk.com/t5/Security/Log-Event-Alert-Action-not-visible-when-creating-alert/m-p/451128#M10540 dsofoulis 2019-08-15T08:53:03Z https://community.splunk.com/t5/Security/Log-Event-Alert-Action-not-visible-when-creating-alert/m-p/451129#M10541 <P>I've found the solution.<BR /> To fix this I edited default.metadata<BR /> []<BR /> import = app1, app2, alert_logevent</P> Thu, 15 Aug 2019 10:10:55 GMT https://community.splunk.com/t5/Security/Log-Event-Alert-Action-not-visible-when-creating-alert/m-p/451129#M10541 dsofoulis 2019-08-15T10:10:55Z