Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alert safeguards for internal search errors

danielbb
Motivator
‎10-08-2021 12:50 PM

I was asked to ask -

Our alerts are relying on various lookups, lookup generators, and other searches. If anything about these underlying layers fail, we have an alert with failing SPL, and these failures are silent, so the alert fails, and we have no idea that it’s because an error in SPL not because there are no events generating them.

Would you ask Splunk Support groups, do we have any option to create an alert action to send us an email whenever a scheduled alert SPL fails due to errors in that SPL? We really need that.

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

danielbb
Motivator
‎10-12-2021 08:57 AM

I created an alert which depends on a lookup. When I deleted the lookup two things took place –

1) The alert invocation was still a success in _internal
2) A message was thrown in _internal - 10-12-2021 10:51:40.961 -0400 ERROR SearchOperator:inputcsv - sid:searchparsetmp_647361294 The lookup table 'lookup_name.csv' requires a .csv or KV store lookup definition.

I don't see a way to correlate the error message with the "successful" invocation of the alert.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-12-2021 01:20 PM

I recall that at one time Splunk logged an event when a saved search was scheduled and another one when it ran.  The latter is what I expected you to find with the status field.  Perhaps I'm mis-remembering.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-08-2021 01:34 PM

Create an alert that monitors splunkd.log for instances when your key alerts fail.

 

index=_internal source=*scheduler.log component=SavedSplunker search_type=scheduled status!=success savedsearch_name IN (<<list of quoted alert names>>)

 

 

---
If this reply helps you, Karma would be appreciated.
Reply

yuk
Engager
‎10-11-2021 02:25 AM

Hi Rich,

Are you providing this SPL out of your experience, or just guessing?

Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-11-2021 05:31 AM

A bit of both.  😉

---
If this reply helps you, Karma would be appreciated.
Reply

danielbb
Motivator
‎10-08-2021 01:52 PM

Can we search for status as failure?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-08-2021 05:05 PM

Yes, of course you can and that's what I meant to show in my reply.  See the edited response.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...