topic Re: I created an Alert, is there any way to test it? in Alerting

I created an Alert, is there any way to test it?

rwolinski — Fri, 14 Jul 2017 18:33:34 GMT

I created an alert for a condition that I want an email notification for going forward. Setting up the alert is fairly straight forward. I only want it to check at 15 minutes past the hour, for the past hour. Now that I have it created, I would like to test it, but the condition I am looking for is from earlier in the day. Is there a way to test that? I want to make sure the email addresses I entered are correct and that those groups will receive the email if the condition is encountered again in the future.

Thank you

Re: I created an Alert, is there any way to test it?

sbbadri — Fri, 14 Jul 2017 18:41:54 GMT

try this

index=xxxx sourcetype=xxxx earliest= latest= rest of the query along with condition | sendemail to=\"abc@123.com\" format=\"html\" server=localhost subject=\"Alert for Data\" message=\"This is an alert for some data\" sendpdf=true"

http://docs.splunk.com/Documentation/Splunk/6.6.2/SearchReference/Sendemail

Re: I created an Alert, is there any way to test it?

adonio — Fri, 14 Jul 2017 18:42:01 GMT

couple of things here:
if you know the condition existed earlier that day, just create a fake alert with same condition that searches that time range
testing the emails is straight forward, use the sendmail command as described here and verify everybody receives email.
http://docs.splunk.com/Documentation/Splunk/6.6.1/SearchReference/Sendemail#Examples
hope it helps

Re: I created an Alert, is there any way to test it?

rwolinski — Fri, 14 Jul 2017 19:18:23 GMT

This worked perfectly. I everyone got the emails and exactly what we were expecting in them. Thank you.

Re: I created an Alert, is there any way to test it?

wpreston — Fri, 14 Jul 2017 21:38:31 GMT

You could also test it directly from the search bar using the sendalert command. Docs here and here.

Re: I created an Alert, is there any way to test it?

woodcock — Sat, 15 Jul 2017 03:41:04 GMT

When I need to do this, I add a macro to the end of the search that will add fake data with an append [|makeresults ... for test and | noop for non-test. When testing, just change the macro.