Re: I created an Alert, is there any way to test i...

rwolinski · ‎07-14-2017

I created an alert for a condition that I want an email notification for going forward. Setting up the alert is fairly straight forward. I only want it to check at 15 minutes past the hour, for the past hour. Now that I have it created, I would like to test it, but the condition I am looking for is from earlier in the day. Is there a way to test that? I want to make sure the email addresses I entered are correct and that those groups will receive the email if the condition is encountered again in the future.

Thank you

woodcock · ‎07-14-2017

When I need to do this, I add a macro to the end of the search that will add fake data with an append [|makeresults ... for test and | noop for non-test. When testing, just change the macro.

wpreston · ‎07-14-2017

You could also test it directly from the search bar using the sendalert command. Docs here and here.

adonio · ‎07-14-2017

couple of things here:
if you know the condition existed earlier that day, just create a fake alert with same condition that searches that time range
testing the emails is straight forward, use the sendmail command as described here and verify everybody receives email.
http://docs.splunk.com/Documentation/Splunk/6.6.1/SearchReference/Sendemail#Examples
hope it helps

rwolinski · ‎07-14-2017

This worked perfectly. I everyone got the emails and exactly what we were expecting in them. Thank you.

sbbadri · ‎07-14-2017

try this

index=xxxx sourcetype=xxxx earliest= latest= rest of the query along with condition | sendemail to=\"abc@123.com\" format=\"html\" server=localhost subject=\"Alert for Data\" message=\"This is an alert for some data\" sendpdf=true"

http://docs.splunk.com/Documentation/Splunk/6.6.2/SearchReference/Sendemail

I created an Alert, is there any way to test it?

Thanks for the Memories! Splunk University, .conf24, and Community Connections

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...