Alerting
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Newly added Splunk alert action doesn't show in Al...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wendtb
Path Finder
05-15-2019
09:56 AM
I have just added 2 new alert actions in Splunk. I verified that the permissions on the alert action are read for everyone, and the app for that alert action is shared to everything. I am unable to see the alert actions in an alert that is already configured.
The alert actions are being distributed via deployment server to two search heads.
What am I missing?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wendtb
Path Finder
05-22-2019
08:09 AM
This was resolved with help from the Splunk slack channel.
I had to import the app into ES in order for the alert action to show up for ES alerts. This only applies to ES versions 5.2.2 or before.
Reference Document: https://docs.splunk.com/Documentation/ES/5.2.2/Install/ImportCustomApps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wendtb
Path Finder
05-22-2019
08:09 AM
This was resolved with help from the Splunk slack channel.
I had to import the app into ES in order for the alert action to show up for ES alerts. This only applies to ES versions 5.2.2 or before.
Reference Document: https://docs.splunk.com/Documentation/ES/5.2.2/Install/ImportCustomApps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
koshyk
Super Champion
05-20-2019
08:51 AM
Are the search heads, standalone search heads? If it is Clustered, then Deployment-server is NOT the method to deploy apps to SHC
if it is standalone Search Heads, please run a btool on the Search Head to see if which app owns the alerts and ensure the permissions are correct in SH
/opt/splunk/bin/splunk cmd btool alert_actions list --debug > /tmp/alert_actions.btool.txt
cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wendtb
Path Finder
05-20-2019
09:14 AM
What am I looking for in the alert_actions.conf that tells me which app owns the alerts? I don't see anything specifically referring to ownership.
These are also standalone search heads.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wendtb
Path Finder
05-20-2019
08:33 AM
I also tried direct install of the alert actions/app onto the Search Head, and I am having the same problem.
Get Updates on the Splunk Community!
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
Splunk App Dev Community Updates – What’s New and What’s Next
Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...
The Latest Cisco Integrations With Splunk Platform!
Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
