topic Re: Ghost alert in Alerting

Ghost alert

the_wolverine — Fri, 10 May 2013 18:47:25 GMT

Has anyone else seen an alert go out when it was not scheduled? I manually scheduled an alert to go out for testing, say 11:15am. Once verified, I scheduled that alert to go out at a specific time (8am, daily.) However, now I'm getting 2 alerts, one for my scheduled time (8am) and again at 11:15am.

In particular this was a scheduled PDF report. I have not seen it happen with a non-PDF Report scheduled alert.

The search was created in UI and scheduled from UI. I scheduled a cron to run at 11:15am to verify that it worked. Then I changed the schedule to ( 0 8 * * * ). It has been running for several days now but I'm getting 2 alerts daily: 1 at 8:15am and another at 11:15am.

I've scoured the filesystem and can find no evidence of where the ghost alert is coming from. The search exists in savedsearches.conf with the ( 0 8 * * * ) schedule.

Re: Ghost alert

Rob — Fri, 10 May 2013 19:26:22 GMT

How did you manually schedule the search? From the manager GUI or from the search itself?

It might be that one search is per user and the other is per app or system.

If you are using a linux box, then you can probably find it in the $SPLUNK_HOME/etc/ directory using something like:

# find . -name savedsearches.conf |grep -i <savedSearchName>

Re: Ghost alert

the_wolverine — Tue, 21 May 2013 17:21:07 GMT

The issue was resolved by restarting the SHs (we're using a pool). This appears to be some sort of bug (version 4.3.4).