Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Do not achieve to trigger my alert

telecomdesign
New Member
‎06-24-2019 01:58 AM

Hello,
I would like to create a schedule alert with a simple search. I want to count something and when the number return is to small trigger the alert. But the alert is not working, I've never receive the mail. I don't understand why...

Could someone help me ?

Thanks a lot !

Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-24-2019 06:19 AM

Hi telecomdesign,

at first check if the alert's search (without alert) has results.
Then check if your alert is correctly trigged [Activity - Triggered Alerts] or [your_app - alerts] and click on your alert.
Then you must check if it's correctly configured your eMail gateway [Settings - Server Settings eMail settings].
Then check if the channel between Splunk Search Head and your eMail server is open.

Bye.
Giuseppe

0 Karma
Reply

telecomdesign
New Member
‎06-24-2019 06:55 AM

Thanks for your answer.
We are trying to trigger the alert when we have a result superior at 1000 and we have a count equal to 10 000
when we have a look in the activity the alert run but never triggers.
I do not understand why...
do you have an idea

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-24-2019 07:14 AM

OK,
at first, your search has results or not?
Please share your search.
Bye.
Giuseppe

0 Karma
Reply

telecomdesign
New Member
‎06-24-2019 08:24 AM

Yes I search as a result.
my search: index="test" work_order="work" |where !like(code, "OK") |stats count(code)

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-24-2019 08:29 AM

OK
What's the result of your search? you should have a number.
Anyway, if you have a number, you have to put the other condition, something like this:

 index="test" work_order="work" 
| where !like(code, "OK") 
| stats count(code)  AS count
| where count>1000

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...