I would like to create a schedule alert with a simple search. I want to count something and when the number return is to small trigger the alert. But the alert is not working, I've never receive the mail. I don't understand why...
Could someone help me ?
Thanks a lot !
at first check if the alert's search (without alert) has results.
Then check if your alert is correctly trigged [Activity - Triggered Alerts] or [your_app - alerts] and click on your alert.
Then you must check if it's correctly configured your eMail gateway [Settings - Server Settings eMail settings].
Then check if the channel between Splunk Search Head and your eMail server is open.
Thanks for your answer.
We are trying to trigger the alert when we have a result superior at 1000 and we have a count equal to 10 000
when we have a look in the activity the alert run but never triggers.
I do not understand why...
do you have an idea
What's the result of your search? you should have a number.
Anyway, if you have a number, you have to put the other condition, something like this:
index="test" work_order="work" | where !like(code, "OK") | stats count(code) AS count | where count>1000