Alerting

How does Splunk UI distinguishes an alert at savedsearches.conf ?

altink
Builder

Alerts and Reports are both persisted at savedsearches.conf . How does the UI decide that a certain entry shall be displayed under the Alerts page (../app_name/alerts) ?

At Question
Report v.s. Alert, what's the difference? 
this is mentioned in the second paragaraph as:
"while we use Alert for a Search that will make a determination to take action in contacting the outside world via email or script execution if its results match a criteria."

Question 1:
What are the settings that make an entry show under Alerts (and not under Reports) ?

Question 2:
I want to deploy the alerts of my app with sole action of "Add to Triggered Alerts" (for which I do use the setting: alert.track = 1). No email, no script .
Is this possible ?

Labels (1)
Tags (3)
0 Karma

altink
Builder

the following setting would do:

enableSched = 1

however:
1. value must be 1. the 0 will go to reports page - and not alerts. this excludes the possibility to deploy alerts in disabled (scheduler) mode, the desired option.
2. what other fields could do the same, and with what values?

In short (Issue remaining):
what is the logic of this behavior? documented ?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Requiring enableSched = 1 for an alert makes sense since the alert wont' work without it.  To disable an alert set disabled = 1.

---
If this reply helps you, Karma would be appreciated.
0 Karma

altink
Builder

Thank You for the disabled = 1.

but the reason for this question remains:

What are the settings that make an entry show under Alerts (and not under Reports) ?
what is the logic of this behavior? documented ?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It is not documented. 

IME, counttype=always means it will appear under Reports; otherwise, it appears under Alerts.

---
If this reply helps you, Karma would be appreciated.
0 Karma

altink
Builder

I already had it:

counttype = number of events


and it showing on Reports page, and not under Alerts

Tags (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Then there must be more to it in newer versions of Splunk.  Check the Alerts list, select a few names from it, then look them up in savedsearches.conf to see what settings may be putting them in that list.

---
If this reply helps you, Karma would be appreciated.

altink
Builder

This is the Alert that gets displayed  under Reports tab

 

[Alert_name]
alert.severity = 5
dispatch.latest_time = now
description = Access Errors - App Schemas
dispatch.earliest_time = -10m
search = index = ....
alert.expires = 5d
relation = greater than
alert.track = 1
alert.suppress = 0
display.page.search.tab = statistics
quantity = 0
counttype = number of events
request.ui_dispatch_view = search
cron_schedule = */10 * * * *
display.general.type = statistics
request.ui_dispatch_app = app_name

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

1. A scheduled search is an alert if the counttype field is not set to "always".

2. I believe alert.track = 1 is all that is needed here.  You can confirm that by defining such an alert in the GUI and then examining the appropriated savedsearches.conf file.

---
If this reply helps you, Karma would be appreciated.
0 Karma

altink
Builder

the settings are

relation = greater than
alert.track = 1
Tags (3)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...