Alerting

I am creating test email alerts, but why they are not triggering?

alanxu
Communicator

Hello,

I am creating an alert to send an email out if any errors are found. So my search is source="MYPATH" ERROR. Results come up when I put "since 5/30/15." After I save it as an alert, I set it to run every hour so that I can test it. However, it never triggers. Do alerts not work with old data?

When I go to my alert and say open in search, it automatically changes it to "Last 1 Hour" so I am confused what I am doing wrong.

Tags (2)
0 Karma

woodcock
Esteemed Legend

You have to specify a time frame and it probably defaults to "last hour". Edit your search and near the top you will see a "Start time" and a "Finish time" field as well as a "Learn more" link. Click on "Learn more" and read all about it. Then set the values as you desire.

alanxu
Communicator

Once the search finishes I get results so I will save it and have it run at 30 minutes of every hour

0 Karma

alanxu
Communicator

Where is the start and finish time?

0 Karma

woodcock
Esteemed Legend

Go to Settings -> Searches, reports & alerts and search for your alert there. If it is not there, create it again and save it as an "Alert". Then you should have all the options.

0 Karma

alanxu
Communicator

Time range is when it runs right not the the time range of the data?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Time range is the time range, when it runs is determined by the cron schedule.

0 Karma

alanxu
Communicator

So does Splunk alerts work with old data? I watched the tutorial on alerts from Splunk, but it didnt answer that question

0 Karma

alanxu
Communicator

I am going to try to create a new search. So I have my text... source="MYPATH" ERROR. And I will create the date and time range for since 5/30/15. And shouldn't I just run it for 15 mins of every hour so I can test it now.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...