Hi All,
I'm very new to SPLUNK and was trying to generate the email alerts for the search.
When i do the same search in the "Search & Reporting" it's giving me the results where as i configure an alert for the same but it's returning me 0 events.
Search:
source="C:\TestSplunklog.log" host="" index="boxtypereal" sourcetype="boxtype_real" "** ABL Debug-Alert Stack Trace **"
Alert:
Thanks.
Do you really mean returning 0 events
or do you mean not creating alerts
? If the latter, did you add the Alert Action
called Add to Triggered Alerts`? Also, for email to gmail, go here:
https://answers.splunk.com/answers/38624/how-to-configure-email-alert-using-gmail-smtp.html
Check for errors like this:
index=_* (ERR* OR FAIL* OR WARN* OR CANNOT) (email OR sendemail)
Things to check:
What is the timepicker in the saved search?
Who is the search `running as` (the owner of the search or the system)?
Maybe emails don't work; have you tested with `| makeresults | eval ... | sendemail`?
Maybe emails don't work; have you tested with the `Add to Triggered Alerts` action?
Maybe you would like an email every time the alert runs (whether or not it has any results) and you have your alert set to `Once for Each Result` instead of `Digest`. In the former case, it will not fire for `number of results equals 0`, but i the latter case it will.
Hi irangapw,
At first check the time range and remember that you can change it only in the alert window.
Then check the quotes (some of them aren't mandatory!) and the source value.
Then check if in the same selected time range there are results (for this test don't use dinamic values as erarliest and latest but a fixed value: e.g. earliest=-2h@h latest=-h@h.
Bye.
Giuseppe
Hi Giuseppe,
i will add the time range to the search in the alert and check.
Thanks.
Ok,
if you're satisfied of this answer, please accept and/or upvote it.
bye.
Giuseppe
Hi Giuseppe,
I updated the search string as follows.
source="TestSplunklog2.log" sourcetype="TestLog2" " ABL Debug-Alert Stack Trace " earliest=-3d@d latest=-h@h
It gives me the results as 23 events when i open it in the search. But i'm still not getting the email.
Below is the alert configurations:
Alert-01
Enabled: Yes. Disable
App: search
Permissions:Private. Owned by admin. Edit
Modified:5 Jul 2019 09:32:15
Alert Type:Scheduled. Hourly, at 45 minutes past the hour. Edit
Trigger Condition:Number of Results is > 0. Edit
Actions:1 Action Send email
** I checked the "scheduler.log" and it has below entry for my alert.
07-05-2019 09:45:07.195 +0530 INFO SavedSplunker - savedsearch_id="admin;search;Alert-01", search_type="scheduled", user="admin", app="search", savedsearch_name="Alert-01", priority=default, status=success, digest_mode=1, scheduled_time=1562300100, window_time=0, dispatch_time=1562300100, run_time=0.298, result_count=23, alert_actions="email", sid="scheduler_adminsearch_RMD5a4aa4f0eb0032e9c_at_1562300100_11", suppressed=0, thread_id="AlertNotifierWorker-0", workload_pool=""
But i did not get any email.
Thanks.
Hi irangapw,
let me understan: this is the only alert that has problems or all the alerts doesn't send eMail?
In first case, we continue to debug the alert, otherwise we try to understand if there are problems in eMail configuration.
Anyway, in alert's actions set also "add to triggered alerts", in this way you can see if the problem is on alert or on eMail [Activity -- Triggered alerts].
If alert is correctly triggered, you have, at first, to check the eMail configuration [Settings -- Server Settings -- eMail settings] and then search in _internal index if there are error messages.
Bye.
Giuseppe
Hi Giuseppe,
As you mentioned i added the alert's action to "Add to triggered alerts" and now i can see the entries of my alert. Seems some issue with my email configurations.
I didn't add any specific configurations there. If my email is gmail one, do i need to modify the configurations.
Thanks.
Hi irangapw,
ok, let me know if you've solved it.
Bye.
Giuseppe
Hi,
I followed the steps given in below link to configure the email settings. But i still don't get the email. Will you be able to help me with it.
https://splunkonbigdata.com/2018/09/03/how-to-configure-email-alerting-using-gmail-smtp-in-splunk/
Find below my configurations:
Mail Host - smtp.gmail.com:587
Email security - TLS
Username - email@gmail.com
Password - email password
Thanks
Hi irangapw,
at first check if the used ports are correctly opened, try using telnet smtp.gmail.com 587
then are you sure that username is email@gmail.com
and not email
?
Bye.
Giuseppe
@irangapw,
are you using same "time range" in both search window and alert ?
Hi, i have specified the time in the "Time Range Picker" and its the same time range.