How to troubleshoot why one of our users is not re...

Kaushikkatta03 · ‎05-13-2016

This is one of the example email alerts:

Saved search results. 

Name: 'Cisco - Level 3 Internet BGP Drops (dcinternet02r)' 
Query Terms: 'source=\"/var/log/syslog_info\" _raw=*\"%BGP-5-ADJCHANGE: neighbor 4.15.168.57\"* earliest=-36hr@h | table _time, _raw | sort -_time' 
Link to results: https://splunk.********.com/
sid=scheduler__hfmra200__search__RMD5ce14eefd70aff3f9_at_1459853760_15001 
Alert was triggered because of: 'Saved Search [Cisco - Level 3 Internet BGP Drops (dcinternet02r)]: always(0)'

richgalloway · ‎05-13-2016

Verify the user's email address is correct in the alert.
Ask the user to check his spam folder and mail filters.

---
If this reply helps you, Karma would be appreciated.

Kaushikkatta03 · ‎05-13-2016

Everything are good , from there side email address and he check in spam fold. He haven't received any mails.

And if i try to run commands under the applications which are in saved search, like:

source=\"/var/log/syslog_info\" _raw=\"%BGP-5-ADJCHANGE: neighbor 4.15.168.57\" earliest=-36hr@h | table _time, _raw | sort -time

I cant see any data . "No data found "

pradeepkumarg · ‎05-13-2016

Is he the only recipient for the alert? If so, check sourcetype = python_log logs for any errors in sending email. If there are other recipients for the alert check with them to see if they got the email and you can validate the to distribution list from that email

pradeepkumarg · ‎05-13-2016

Sorry, I didn't realize python logs are not indexed by default and you have to specifically index them. But you can find them here $SPLUNK_HOME/var/log/splunk/python.log

How to troubleshoot why one of our users is not receiving email alerts from Splunk?

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application