Alerting

How to create splunk alert using config files?

fatmamaamouri
Explorer

I created savedsearches.conf file to create a splunk alert and restart the splunk service, but I still can't see the new alert in the UI, I am using the following configuration:

fatmamaamouri_0-1659978435330.png

Thanks in advance!

Labels (1)
Tags (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

The inputs.conf is for data collection which can happen on both Splunk Universal Forwarder and Splunk enterprise. The alerting (which is basically scheduled searching) happens only on Splunk Enterprise instances, commonly on your Search Heads. Instead of creating the alert on UF, place it on your Search Head (where you're searching the data).

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

At what location did you place the savedsearches.conf? Are you looking at correct app context?

0 Karma

fatmamaamouri
Explorer

I create it under /opt/splunkforwarder/etc/apps/gurobi/default/

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you're really installing the alert on a Universal Forwarder then you'll never see it because UFs don't have a UI.  Are you sure that's location where the edits were made?

---
If this reply helps you, Karma would be appreciated.

fatmamaamouri
Explorer

yes I am sure

fatmamaamouri_0-1659990805895.png

 

0 Karma

fatmamaamouri
Explorer

same path used for inputs.conf file and I can see logs from that data source in the UI

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The inputs.conf is for data collection which can happen on both Splunk Universal Forwarder and Splunk enterprise. The alerting (which is basically scheduled searching) happens only on Splunk Enterprise instances, commonly on your Search Heads. Instead of creating the alert on UF, place it on your Search Head (where you're searching the data).

richgalloway
SplunkTrust
SplunkTrust

Splunk doesn't like "0/1 * * * *" as a cron schedule.  Try "* * * * *" to get it working.  Then change to a less-frequent schedule.

The config is missing the counttype setting.  Without it, the search defaults to a report.  To make it an alert, set counttype = number of events.

---
If this reply helps you, Karma would be appreciated.
0 Karma

fatmamaamouri
Explorer

I am using the following configuration, but still can't see it

[Gurobitest]
# send an email notification
action.email = 1
action.email.to = <my_email_address>
action.email.useNSSubject = 1

alert.suppress = 0
alert.track = 0

cron_schedule = 0 23 * * *

counttype = number of events
quantity = 0
relation = greater than

#search for results in the last day
dispatch.earliest_time = -1d
dispatch.latest_time = now

display.events.fields = ["host","source","sourcetype","latitude"]
display.page.search.mode = verbose
display.visualizations.charting.chart = area
display.visualizations.type = mapping

enableSched = 1

request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = sourcetype=gurobi_expiration

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...