I'm very new to SPLUNK and was trying to generate the email alerts for the search.
When i do the same search in the "Search & Reporting" it's giving me the results where as i configure an alert for the same but it's returning me 0 events.
source="C:\TestSplunklog.log" host="" index="boxtypereal" sourcetype="boxtype_real" "** ABL Debug-Alert Stack Trace **"
Do you really mean
returning 0 events or do you mean
not creating alerts? If the latter, did you add the
Alert Action called Add to Triggered Alerts`? Also, for email to gmail, go here:
Things to check:
What is the timepicker in the saved search? Who is the search `running as` (the owner of the search or the system)? Maybe emails don't work; have you tested with `| makeresults | eval ... | sendemail`? Maybe emails don't work; have you tested with the `Add to Triggered Alerts` action? Maybe you would like an email every time the alert runs (whether or not it has any results) and you have your alert set to `Once for Each Result` instead of `Digest`. In the former case, it will not fire for `number of results equals 0`, but i the latter case it will.
At first check the time range and remember that you can change it only in the alert window.
Then check the quotes (some of them aren't mandatory!) and the source value.
Then check if in the same selected time range there are results (for this test don't use dinamic values as erarliest and latest but a fixed value: e.g. earliest=-2h@h latest=-h@h.
I updated the search string as follows.
source="TestSplunklog2.log" sourcetype="TestLog2" " ABL Debug-Alert Stack Trace " earliest=-3d@d latest=-h@h
It gives me the results as 23 events when i open it in the search. But i'm still not getting the email.
Below is the alert configurations:
Enabled: Yes. Disable
Permissions:Private. Owned by admin. Edit
Modified:5 Jul 2019 09:32:15
Alert Type:Scheduled. Hourly, at 45 minutes past the hour. Edit
Trigger Condition:Number of Results is > 0. Edit
Actions:1 Action Send email
** I checked the "scheduler.log" and it has below entry for my alert.
07-05-2019 09:45:07.195 +0530 INFO SavedSplunker - savedsearchid="admin;search;Alert-01", searchtype="scheduled", user="admin", app="search", savedsearchname="Alert-01", priority=default, status=success, digestmode=1, scheduledtime=1562300100, windowtime=0, dispatchtime=1562300100, runtime=0.298, resultcount=23, alertactions="email", sid="scheduleradminsearch_RMD5a4aa4f0eb0032e9cat156230010011", suppressed=0, threadid="AlertNotifierWorker-0", workloadpool=""
But i did not get any email.
let me understan: this is the only alert that has problems or all the alerts doesn't send eMail?
In first case, we continue to debug the alert, otherwise we try to understand if there are problems in eMail configuration.
Anyway, in alert's actions set also "add to triggered alerts", in this way you can see if the problem is on alert or on eMail [Activity -- Triggered alerts].
If alert is correctly triggered, you have, at first, to check the eMail configuration [Settings -- Server Settings -- eMail settings] and then search in _internal index if there are error messages.
As you mentioned i added the alert's action to "Add to triggered alerts" and now i can see the entries of my alert. Seems some issue with my email configurations.
I didn't add any specific configurations there. If my email is gmail one, do i need to modify the configurations.
I followed the steps given in below link to configure the email settings. But i still don't get the email. Will you be able to help me with it.
Find below my configurations:
Mail Host - smtp.gmail.com:587
Email security - TLS
Username - firstname.lastname@example.org
Password - email password