topic Re: Alert Not Triggering in Alerting

Alert Not Triggering

irangapw — Tue, 02 Jul 2019 04:57:36 GMT

Hi All,

I'm very new to SPLUNK and was trying to generate the email alerts for the search.

When i do the same search in the "Search & Reporting" it's giving me the results where as i configure an alert for the same but it's returning me 0 events.

Search:
source="C:\TestSplunklog.log" host="" index="boxtypereal" sourcetype="boxtype_real" "** ABL Debug-Alert Stack Trace **"

Alert:

Thanks.

Re: Alert Not Triggering

renjith_nair — Tue, 02 Jul 2019 12:13:49 GMT

@irangapw,

are you using same "time range" in both search window and alert ?

Re: Alert Not Triggering

gcusello — Tue, 02 Jul 2019 13:31:34 GMT

Hi irangapw,
At first check the time range and remember that you can change it only in the alert window.
Then check the quotes (some of them aren't mandatory!) and the source value.
Then check if in the same selected time range there are results (for this test don't use dinamic values as erarliest and latest but a fixed value: e.g. earliest=-2h@h latest=-h@h.

Bye.
Giuseppe

Re: Alert Not Triggering

woodcock — Tue, 02 Jul 2019 14:21:11 GMT

Things to check:

What is the timepicker in the saved search?
Who is the search `running as` (the owner of the search or the system)?
Maybe emails don't work; have you tested with `| makeresults | eval ... | sendemail`?
Maybe emails don't work; have you tested with the `Add to Triggered Alerts` action?
Maybe you would like an email every time the alert runs (whether or not it has any results) and you have your alert set to `Once for Each Result` instead of `Digest`.  In the former case, it will not fire for `number of results equals 0`, but i the latter case it will.

Re: Alert Not Triggering

irangapw — Wed, 03 Jul 2019 04:05:26 GMT

Hi, i have specified the time in the "Time Range Picker" and its the same time range.

Re: Alert Not Triggering

irangapw — Wed, 03 Jul 2019 04:07:44 GMT

Hi Giuseppe,
i will add the time range to the search in the alert and check.
Thanks.

Re: Alert Not Triggering

gcusello — Wed, 03 Jul 2019 12:14:35 GMT

Ok,
if you're satisfied of this answer, please accept and/or upvote it.
bye.
Giuseppe

Re: Alert Not Triggering

irangapw — Wed, 30 Sep 2020 01:10:53 GMT

Hi Giuseppe,
I updated the search string as follows.

source="TestSplunklog2.log" sourcetype="TestLog2" " ABL Debug-Alert Stack Trace " earliest=-3d@d latest=-h@h

It gives me the results as 23 events when i open it in the search. But i'm still not getting the email.
Below is the alert configurations:
Alert-01
Enabled: Yes. Disable
App: search
Permissions:Private. Owned by admin. Edit
Modified:5 Jul 2019 09:32:15
Alert Type:Scheduled. Hourly, at 45 minutes past the hour. Edit
Trigger Condition:Number of Results is > 0. Edit
Actions:1 Action Send email

** I checked the "scheduler.log" and it has below entry for my alert.
07-05-2019 09:45:07.195 +0530 INFO SavedSplunker - savedsearch_id="admin;search;Alert-01", search_type="scheduled", user="admin", app="search", savedsearch_name="Alert-01", priority=default, status=success, digest_mode=1, scheduled_time=1562300100, window_time=0, dispatch_time=1562300100, run_time=0.298, result_count=23, alert_actions="email", sid="scheduler_adminsearch_RMD5a4aa4f0eb0032e9c_at_1562300100_11", suppressed=0, thread_id="AlertNotifierWorker-0", workload_pool=""

But i did not get any email.

Thanks.

Re: Alert Not Triggering

gcusello — Fri, 05 Jul 2019 07:50:59 GMT

Hi irangapw,
let me understan: this is the only alert that has problems or all the alerts doesn't send eMail?
In first case, we continue to debug the alert, otherwise we try to understand if there are problems in eMail configuration.
Anyway, in alert's actions set also "add to triggered alerts", in this way you can see if the problem is on alert or on eMail [Activity -- Triggered alerts].
If alert is correctly triggered, you have, at first, to check the eMail configuration [Settings -- Server Settings -- eMail settings] and then search in _internal index if there are error messages.

Bye.
Giuseppe

Re: Alert Not Triggering

woodcock — Sat, 06 Jul 2019 00:06:00 GMT

Check for errors like this:

index=_* (ERR* OR FAIL* OR WARN* OR CANNOT) (email OR sendemail)

Re: Alert Not Triggering

irangapw — Mon, 08 Jul 2019 05:49:28 GMT

Hi Giuseppe,
As you mentioned i added the alert's action to "Add to triggered alerts" and now i can see the entries of my alert. Seems some issue with my email configurations.
I didn't add any specific configurations there. If my email is gmail one, do i need to modify the configurations.

Thanks.

Re: Alert Not Triggering

gcusello — Mon, 08 Jul 2019 07:27:24 GMT

Hi irangapw,
ok, let me know if you've solved it.
Bye.
Giuseppe

Re: Alert Not Triggering

irangapw — Mon, 08 Jul 2019 10:02:35 GMT

Hi,
I followed the steps given in below link to configure the email settings. But i still don't get the email. Will you be able to help me with it.
https://splunkonbigdata.com/2018/09/03/how-to-configure-email-alerting-using-gmail-smtp-in-splunk/

Find below my configurations:
Mail Host - smtp.gmail.com:587
Email security - TLS
Username - email@gmail.com
Password - email password

Thanks

Re: Alert Not Triggering

gcusello — Mon, 08 Jul 2019 11:23:34 GMT

Hi irangapw,
at first check if the used ports are correctly opened, try using telnet smtp.gmail.com 587
then are you sure that username is email@gmail.com and not email ?

Bye.
Giuseppe

Re: Alert Not Triggering

woodcock — Mon, 08 Jul 2019 13:09:36 GMT

Do you really mean returning 0 events or do you mean not creating alerts? If the latter, did you add the Alert Action called Add to Triggered Alerts`? Also, for email to gmail, go here:

https://answers.splunk.com/answers/38624/how-to-configure-email-alert-using-gmail-smtp.html