Alerting

How does Splunk UI distinguishes an alert at savedsearches.conf ?

altink
Contributor

Alerts and Reports are both persisted at savedsearches.conf . How does the UI decide that a certain entry shall be displayed under the Alerts page (../app_name/alerts) ?

At Question
Report v.s. Alert, what's the difference? 
this is mentioned in the second paragaraph as:
"while we use Alert for a Search that will make a determination to take action in contacting the outside world via email or script execution if its results match a criteria."

Question 1:
What are the settings that make an entry show under Alerts (and not under Reports) ?

Question 2:
I want to deploy the alerts of my app with sole action of "Add to Triggered Alerts" (for which I do use the setting: alert.track = 1). No email, no script .
Is this possible ?

Labels (1)
Tags (3)
0 Karma

altink
Contributor

the following setting would do:

enableSched = 1

however:
1. value must be 1. the 0 will go to reports page - and not alerts. this excludes the possibility to deploy alerts in disabled (scheduler) mode, the desired option.
2. what other fields could do the same, and with what values?

In short (Issue remaining):
what is the logic of this behavior? documented ?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Requiring enableSched = 1 for an alert makes sense since the alert wont' work without it.  To disable an alert set disabled = 1.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

altink
Contributor

Thank You for the disabled = 1.

but the reason for this question remains:

What are the settings that make an entry show under Alerts (and not under Reports) ?
what is the logic of this behavior? documented ?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It is not documented. 

IME, counttype=always means it will appear under Reports; otherwise, it appears under Alerts.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

altink
Contributor

I already had it:

counttype = number of events


and it showing on Reports page, and not under Alerts

Tags (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Then there must be more to it in newer versions of Splunk.  Check the Alerts list, select a few names from it, then look them up in savedsearches.conf to see what settings may be putting them in that list.

---
If this reply helps you, an upvote would be appreciated.

altink
Contributor

This is the Alert that gets displayed  under Reports tab

 

[Alert_name]
alert.severity = 5
dispatch.latest_time = now
description = Access Errors - App Schemas
dispatch.earliest_time = -10m
search = index = ....
alert.expires = 5d
relation = greater than
alert.track = 1
alert.suppress = 0
display.page.search.tab = statistics
quantity = 0
counttype = number of events
request.ui_dispatch_view = search
cron_schedule = */10 * * * *
display.general.type = statistics
request.ui_dispatch_app = app_name

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

1. A scheduled search is an alert if the counttype field is not set to "always".

2. I believe alert.track = 1 is all that is needed here.  You can confirm that by defining such an alert in the GUI and then examining the appropriated savedsearches.conf file.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

altink
Contributor

the settings are

relation = greater than
alert.track = 1
Tags (3)
0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>