Alerting

I have an alert_actions.conf being ignored

ddeighton
Explorer

I have an alert_actions.conf file that is pushed out to our search heads via deployment server. All of the settings (hostname, mailserver, from) are being ignored when in the app context. If I move the same file into $SPLUNK_HOME/etc/system/local, everything works.

I ran "splunk cmd btool alert_actions list" and the output is identical no matter where I put alert_actions.conf. In both cases, it looks like the settings are correct.

Any ideas on why this doesn't work?

Labels (1)
Tags (1)

claudio_manig
Communicator

Add a local.meta file to "alertactionappname/metadata" with the following stanza:

[]
export = system

this will do the job and solve the problem

realsplunk
Motivator

Don't forget to do SHC rolling restart, you can also put in default.meta

0 Karma

gavin1_davenpor
Path Finder

Antonio (my splunk homey) went through this - the answer is in precedence and I don't think it's a bug.

See
docs.splunk.com/Documentation/Splunk/6.0.1/admin/Wheretofindtheconfigurationfiles

alert_actions.conf is effective at app/user scope - not global.

if you deliver alert_actions.conf to an instance in an app ON ITS OWN - it will have no effect.

If you deliver it into an app which has search configurations (where you are generating reports you wish to email) - it works exactly as defined.

The access URL tells you which scope you're in. I have put an alert_actions.conf in
$SPLUNK_HOME/etc/apps/dbx/local.

I can configure it from the GUI if I want from this url:
h-t-t-p://instance:8000/en-US/manager/dbx/admin/alert_actions/email?action=edit

If I want to email searches from within the search app - I must place the file in
$SPLUNK_HOME/etc/apps/search/local

and i configure it from the gui using this URL:
h-t-t-p://instance:8000/en-US/manager/search/admin/alert_actions/email?action=edit

Its scope of effect is 'app/user', not global.

A user can provide his own alert_actions.conf - but again, it's in the userdir for a specific app, not for all apps.

Gavs

sloshburch
Splunk Employee
Splunk Employee

Any thoughts on if it can be made global using an export = system in the default.meta of a custom app?

0 Karma

gavin1_davenpor
Path Finder

It is highly unlikely splunk changed the precedence rules for that file between releases. Antonio tested it on 5.* and saw the same behaviour...

0 Karma

sloshburch
Splunk Employee
Splunk Employee

That may be for 6*, but is it different for 5*?

0 Karma

abonuccelli_spl
Splunk Employee
Splunk Employee

SPL-55476 was never validated and it is not a valid bug.
I have it working on 5.0.5, splunk is connecting to mailserver indicated below

ON DS

/opt/SPLUNK/5.0.5-DS/splunk $ cat etc/deployment-apps/testDeployApp/local/alert_actions.conf 
[email]
auth_password = $1$d2gP+53E8tz
auth_username = myemail@mailprovider.com
mailserver = smtp.mailprovider.com:2500
reportServerURL = 
from = myemail@mailprovider.com

ON DC

   /opt/SPLUNK/5.0.5-DC/splunk/bin $ ./splunk btool alert_actions list email --debug | egrep -o 'alert_action.*' | egrep -v command
alert_actions.conf [email]
alert_actions.conf auth_password = $1$ndCtP+qYE8tz
alert_actions.conf auth_username = myemail@mailprovider.com
alert_actions.conf           bcc = 
alert_actions.conf           cc = 
alert_actions.conf           format = html
alert_actions.conf from = myemail@mailprovider.com
alert_actions.conf           hostname = 
alert_actions.conf           inline = 0
alert_actions.conf mailserver = smtp.mailprovider.com:2500
alert_actions.conf           maxresults = 10000
alert_actions.conf           maxtime = 5m
alert_actions.conf           pdfview = 
alert_actions.conf           preprocess_results = 
alert_actions.conf           reportCIDFontList = gb cns jp kor
alert_actions.conf           reportIncludeSplunkLogo = 1
alert_actions.conf           reportPaperOrientation = portrait
alert_actions.conf           reportPaperSize = letter
alert_actions.conf           reportServerEnabled = false
alert_actions.conf reportServerURL = 
alert_actions.conf           sendpdf = 0
alert_actions.conf           sendresults = 0
alert_actions.conf           subject = Splunk Alert: $name$
alert_actions.conf           to = 
alert_actions.conf           track_alert = 1
alert_actions.conf           ttl = 86400
alert_actions.conf           use_ssl = 0
alert_actions.conf           use_tls = 0
alert_actions.conf           width_sort_columns = 1

cbowles
Explorer

ddeighton,

I found the same exact issue on my Splunk Server. This seems to be a bug with Splunk where the Splunk Search Head only recognizes alert_actions.conf in the local (/opt/splunk/etc/system/local) config directory.

Submitted a bug report.

sloshburch
Splunk Employee
Splunk Employee

I don't see SPL-55476 listed on docs.splunk.com. Has this been listed as a known issue or fixed? http://docs.splunk.com/Special:SplunkSearch/docs?q=SPL-55476

0 Karma

Rob
Splunk Employee
Splunk Employee

Splunk bug SPL-55476 was created to address this issue. Thanks everyone that continues to reference this answer post.

0 Karma

cbowles
Explorer

Support Case # 84640 for this issue.

0 Karma

Drainy
Champion

@ddeighton it might be an idea for you to also file a bug report just so Splunk are aware it is aflicting more than one user, also they may find multiple data sources on the bug helpful -> https://www.splunk.com/page/submit_issue if @cbowles could share his support ref then you could include that within your ticket so they can link the two issues quickly.

0 Karma

ddeighton
Explorer

Thanks, cbowles, for confirming the problem and filing the bug report.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...