Alerting

Have I properly configured advanced conditional attributes for my alert in savedsearches.conf?

_gkollias
Builder

This is the first time I am using an advanced conditional alert in savedsearches.conf.

I'd like to get some feedback about current configurations I have around monitoring scheduled jobs.

If a job is hung for x amount of time, the alert should kick off, however one was manually suspended last night and nothing came out. Here is a sample of my savedsearches.conf along with a sample of the search:

[alert]
action.email.inline = 1
action.script = 1
action.script.filename = email_alert.sh
alert.digest_mode = True
alert.expires = 24h
alert.suppress = 0
alert.track = 1
**alert_condition = | where last_run_ago_seconds>7200
counttype = custom**
cron_schedule = 00 09,10,11,12,13,14,15,16,17,18,19,20,21,22 * * *
displayview = flashtimeline
enableSched = 1
search = index=index earliest=-60m@m latest=@m sourcetype=blah <servicenamehere> | head 100 | stats latest(_time) as last_seen, first(host) as host_start by service | addinfo | eval last_run_ago_seconds=round( info_search_time-last_seen ) | stats min(last_run_ago_seconds) as last_run_ago_seconds, values(host_start) as host_start by service | fillnull value="n/a" host_start  | eval message=if(last_run_ago_seconds>7200, "This Job May Be Hung", "Job Looks OK") | table service,last_run_ago_seconds,host_start,message

When I run the search manually things look OK, but I want to make sure my use of alert_condition and counttype are correct. Or, if there is another way of kicking off a similar alert I am open to suggestions.

Thanks in advance!

0 Karma
1 Solution

frobinson_splun
Splunk Employee
Splunk Employee

Hi @KolGr001,
"Counttype" should not be specified if you are using an "alert_condition" in savedsearches.conf.
http://docs.splunk.com/Documentation/Splunk/6.3.1/Admin/Savedsearchesconf

The spec file mentions that, if you include an alert_condition, you should not set counttype, relation, or quantity. I've corrected a discrepancy in older versions of our documentation that stated otherwise.

Hope this helps!

View solution in original post

frobinson_splun
Splunk Employee
Splunk Employee

Hi @KolGr001,
"Counttype" should not be specified if you are using an "alert_condition" in savedsearches.conf.
http://docs.splunk.com/Documentation/Splunk/6.3.1/Admin/Savedsearchesconf

The spec file mentions that, if you include an alert_condition, you should not set counttype, relation, or quantity. I've corrected a discrepancy in older versions of our documentation that stated otherwise.

Hope this helps!

Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...