- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Newly added Splunk alert action doesn't show in Al...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have just added 2 new alert actions in Splunk. I verified that the permissions on the alert action are read for everyone, and the app for that alert action is shared to everything. I am unable to see the alert actions in an alert that is already configured.
The alert actions are being distributed via deployment server to two search heads.
What am I missing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This was resolved with help from the Splunk slack channel.
I had to import the app into ES in order for the alert action to show up for ES alerts. This only applies to ES versions 5.2.2 or before.
Reference Document: https://docs.splunk.com/Documentation/ES/5.2.2/Install/ImportCustomApps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This was resolved with help from the Splunk slack channel.
I had to import the app into ES in order for the alert action to show up for ES alerts. This only applies to ES versions 5.2.2 or before.
Reference Document: https://docs.splunk.com/Documentation/ES/5.2.2/Install/ImportCustomApps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are the search heads, standalone search heads? If it is Clustered, then Deployment-server is NOT the method to deploy apps to SHC
if it is standalone Search Heads, please run a btool on the Search Head to see if which app owns the alerts and ensure the permissions are correct in SH
/opt/splunk/bin/splunk cmd btool alert_actions list --debug > /tmp/alert_actions.btool.txt
cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What am I looking for in the alert_actions.conf that tells me which app owns the alerts? I don't see anything specifically referring to ownership.
These are also standalone search heads.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also tried direct install of the alert actions/app onto the Search Head, and I am having the same problem.
Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows
New Dates, New City: Save the Date for .conf25!
Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud
