Alerting

Does Trial Version allow alerts?

wuming79
Path Finder

Hi,

Does trial version actually supports alert? I read from old post, it does but when i look at my license which trial is expiring in 5 days time, it shows No licensing alerts. I also trying to make alert work for past few days, the alert history is displayed on my alert search but I cant' get it to send email out.

I'm trying this out in my own home. I have also allow splunk.exe and splunkd.exe to be allowed through my windows firewall. I'm confused whether it actually works for Trial version as in my Lisensing page, it also indicated no licensing alerts.

From python.log I have the following errors:

2017-06-20 10:37:03,311 +0800
ERROR sendemail:137 - Sending email.
subject="Splunk Alert: Temperature
Threshold Exceeded!",
results_link="http://HS:8000/app/search/search?q=%7Cloadjob%20rt_scheduler__admin__search__RMD565cc5b97a7fcf839_at...",
recipients="[u'myemail@yahoo.com']",
server="localhost" 2017-06-20
10:37:03,312 +0800 ERROR sendemail:443
- [Errno 10061] No connection could be made because the target machine
actively refused it while sending mail
to:myemail@yahoo.com

alt text

0 Karma

niketn
Legend

@wuming79, have you verified that email exchange is setup/configured properly on Splunk Server and issue is not with emails not being sent out rather than license issue?

You can either try test email delivery of pdf generated from Dashboard, or use the sendemail command through Splunk search directly. http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sendemail

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

wuming79
Path Finder

Hi, I tried
temperature sourcetype=kaa | rex field=_raw "\"endpointKeyHash\":{\"string\":\"(?[^\"])\".\"Event\": (?{.*})}$"| spath input=mydata | table _time, endpoint, temperature | eval threshold = 50 | where temperature > threshold | sendemail to="abc@mail.com" sendresults=true

but python.log still show the same msg

2017-06-20 23:07:05,436 +0800
ERROR sendemail:137 - Sending email.
subject="Splunk Alert: Temperature
Threshold Exceeded!",
results_link="http://HS:8000/app/search/search?q=%7Cloadjob%20rt_scheduler__admin__search__RMD565cc5b97a7fcf839_at...",
recipients="[u'abc@mail.com']",
server="localhost" 2017-06-20
23:07:05,437 +0800 ERROR sendemail:443
- [Errno 10061] No connection could be made because the target machine
actively refused it while sending mail
to: abc@mail.com

May I know how do I verify that the email exchange is setup/configured properly on Splunk Server?

0 Karma

lavanyaanne
Path Finder

splunk enterprise trail has Full enterprise features. so alerts will work.

To work email alerting, you must have a mail server running on the LAN that the Splunk server can connect to. Splunk does not authenticate against the mail server so the server must be an open relay.

Also make sure that the host doesn't have any firewall that might be blocking traffic across SMTP.

0 Karma

wuming79
Path Finder

May I know how do I check if my mail server is running on LAN? I'm using yahoo.com and I don't have a mail server at home.

0 Karma

gcusello
SplunkTrust
SplunkTrust
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...