Alerting

Newly added Splunk alert action doesn't show in Alert

wendtb
Path Finder

I have just added 2 new alert actions in Splunk. I verified that the permissions on the alert action are read for everyone, and the app for that alert action is shared to everything. I am unable to see the alert actions in an alert that is already configured.

The alert actions are being distributed via deployment server to two search heads.

What am I missing?

0 Karma
1 Solution

wendtb
Path Finder

This was resolved with help from the Splunk slack channel.

I had to import the app into ES in order for the alert action to show up for ES alerts. This only applies to ES versions 5.2.2 or before.

Reference Document: https://docs.splunk.com/Documentation/ES/5.2.2/Install/ImportCustomApps

View solution in original post

0 Karma

wendtb
Path Finder

This was resolved with help from the Splunk slack channel.

I had to import the app into ES in order for the alert action to show up for ES alerts. This only applies to ES versions 5.2.2 or before.

Reference Document: https://docs.splunk.com/Documentation/ES/5.2.2/Install/ImportCustomApps

0 Karma

koshyk
Super Champion

Are the search heads, standalone search heads? If it is Clustered, then Deployment-server is NOT the method to deploy apps to SHC

if it is standalone Search Heads, please run a btool on the Search Head to see if which app owns the alerts and ensure the permissions are correct in SH

/opt/splunk/bin/splunk cmd btool alert_actions list --debug > /tmp/alert_actions.btool.txt

cheers

0 Karma

wendtb
Path Finder

What am I looking for in the alert_actions.conf that tells me which app owns the alerts? I don't see anything specifically referring to ownership.

These are also standalone search heads.

0 Karma

wendtb
Path Finder

I also tried direct install of the alert actions/app onto the Search Head, and I am having the same problem.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...