topic Re: Why are my alerts not being triggered? in Alerting

Why are my alerts not being triggered?

APNelson — Thu, 30 Oct 2014 19:49:09 GMT

I have an alert that I created. When I click "Open in Search and trigger the event, it shows up in the search window, but the event does not trigger the alert (send e-mail, execute the script, or show up in Triggered Alerts).

The alert is in the savedsearches.conf file in system/local and shows up with the Owner as "nobody", the App as "system" and Sharing as "Global".

What can I do to fix this problem? I have several alerts and it appears that none of them are working properly at this time.

UPDATE: It appears the number of searches may be partially responsible. When I have just one real-time alert in the savedsearches.conf file it appears to work correctly, but when I get up to 6, it stops working. The requirements being fulfilled by Splunk require as many as 14 real time searches to trigger alerts when necessary, so I definitely need some kind of solution to this problem.

Re: Why are my alerts not being triggered?

martin_mueller — Thu, 30 Oct 2014 20:39:15 GMT

Manually running the search isn't supposed to trigger the alert action, you need to wait for a scheduled run... not sure if that's what's missing here though, do elaborate if not.

Re: Why are my alerts not being triggered?

APNelson — Thu, 30 Oct 2014 20:40:28 GMT

The search for the alert is real-time, not scheduled. I'm just using the fact that the entry is showing up in search using the same criteria to prove to myself that the event was received.

Re: Why are my alerts not being triggered?

martin_mueller — Thu, 30 Oct 2014 20:42:24 GMT

I see. There's a huge list of things that could be going wrong. Is the search running in the job inspector and showing results? What's the trigger condition and similar configs for the alert? Anything suspicious / erroring in _internal?

Re: Why are my alerts not being triggered?

APNelson — Thu, 30 Oct 2014 20:55:11 GMT

I see 8 searches in the Jobs view, but not one for each of my alerts. Four have their status marked as "Done", while 4 others (which are some of my alerts, but not the one I'm using for testing) have the status "Running (100%).

I see an entry in the scheduler log indicating that it cannot execute scheduled searches that live at the system level for some reason, but I'm getting the same behavior regardless of whether my savedsearches.conf file is in apps/search/local or system/local (with a restart after moving the file so the searches are moved into an app context).

Re: Why are my alerts not being triggered?

martin_mueller — Thu, 30 Oct 2014 21:24:52 GMT

Yeah, running in system/local isn't such a great idea... however, if they're still not running if moved to an app context then there's gotta be an error message for that that's different from the system/local one.

Re: Why are my alerts not being triggered?

APNelson — Fri, 31 Oct 2014 13:29:09 GMT

It appears the number of searches may be partially responsible. When I have just one real-time alert in the savedsearches.conf file it appears to work correctly, but when I get up to 6, it stops working. The requirements being fulfilled by Splunk require as many as 14 real time searches to trigger alerts when necessary, so I definitely need some kind of solution to this problem.

Re: Why are my alerts not being triggered?

martin_mueller — Fri, 31 Oct 2014 14:47:30 GMT

There are two limits to be concerned about here, one is the number of real-time searches your user can run (see Settings -> Authentication -> Roles), the other is the number of real-time searches your Search Head can run (see limits.conf, depends on the number of cores your SH has).

Not sure how the limit for the nobody user is calculated though.

Re: Why are my alerts not being triggered?

APNelson — Mon, 28 Sep 2020 17:58:51 GMT

That did the trick. I changed base_max_searches and max_rt_search_multiplier and now they're all showing up in Jobs and my test one is responding properly.

Re: Why are my alerts not being triggered?

martin_mueller — Fri, 31 Oct 2014 17:13:27 GMT

Great. For future growth, there should be logs in _internal stating that this limit has been reached... I think. If you found those you could consider setting up a (non-realtime) alert for them to add more cores / add more search heads / increase the limit.

Re: Why are my alerts not being triggered?

ben363 — Wed, 15 Jun 2016 05:34:10 GMT

Try searching Splunk for index=_internal source="/opt/splunk/var/log/splunk/scheduler.log" status!=success OR NOT INFO.

You can also search directly in scheduler.log.

Re: Why are my alerts not being triggered?

mbrownec — Wed, 23 Nov 2016 17:22:28 GMT

Thank you! index=_internal source=*scheduler.log status!=success OR NOT INFO savedsearch_name="[name of saved search here]" | dedup reason | table reason In my case, reason == "maxRtsearches limit reached"