Not able to receive any alerts from SPLUNK for one...

Dhanush · ‎10-31-2020

One of the user is not able to receive any alerts if the user is trying to create an alert. However, If we create the same alert we are able to receive and marked the user as well in CC, he is able to receive the alert. As part of the trouble shooting we could see that particular role has all the capabilities to schedule a search. However, We are still encountering issue.

Need Help..If someone has inputs. That would be a great help.

@murbanek_splunk

isoutamo · ‎10-31-2020

When he is doing that search, he was seeing those events?
This is not a real-time alert?
r. Ismo

Dhanush · ‎10-31-2020

It's a real time alert where the query count exceeds the threshold count..The user would be receiving alerts.

As part of the troubleshooting we could receive the exact copy of these alerts, when we create a duplicate one. However, when the user is creating he is not able to get nor us(Even if we are marked in the e-mail)

isoutamo · ‎10-31-2020

Your user needs also [capability::schedule_rtsearch]
for do alerts based on real-time search.

Then it’s another story should he use real-time alert or scheduled alert. Personally I’m not a fan of real-time alert and until now I have succeeded to do those with normal scheduled searches.
r. Ismo

Not able to receive any alerts from SPLUNK for one particular role

alert action

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor