I am creating test email alerts, but why they are ...

alanxu · ‎07-13-2015

Hello,

I am creating an alert to send an email out if any errors are found. So my search is source="MYPATH" ERROR. Results come up when I put "since 5/30/15." After I save it as an alert, I set it to run every hour so that I can test it. However, it never triggers. Do alerts not work with old data?

When I go to my alert and say open in search, it automatically changes it to "Last 1 Hour" so I am confused what I am doing wrong.

woodcock · ‎07-13-2015

You have to specify a time frame and it probably defaults to "last hour". Edit your search and near the top you will see a "Start time" and a "Finish time" field as well as a "Learn more" link. Click on "Learn more" and read all about it. Then set the values as you desire.

alanxu · ‎07-13-2015

Once the search finishes I get results so I will save it and have it run at 30 minutes of every hour

alanxu · ‎07-13-2015

Where is the start and finish time?

woodcock · ‎07-13-2015

Go to Settings -> Searches, reports & alerts and search for your alert there. If it is not there, create it again and save it as an "Alert". Then you should have all the options.

alanxu · ‎07-13-2015

Time range is when it runs right not the the time range of the data?

martin_mueller · ‎07-13-2015

Time range is the time range, when it runs is determined by the cron schedule.

alanxu · ‎07-13-2015

So does Splunk alerts work with old data? I watched the tutorial on alerts from Splunk, but it didnt answer that question

alanxu · ‎07-13-2015

I am going to try to create a new search. So I have my text... source="MYPATH" ERROR. And I will create the date and time range for since 5/30/15. And shouldn't I just run it for 15 mins of every hour so I can test it now.

I am creating test email alerts, but why they are not triggering?

Introducing Edge Processor: Next Gen Data Transformation

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Using Machine Learning for Hunting Security Threats