Alerting

Not getting Email Alert for my saved search

shreyasathavale
Communicator

Hi,
Below is my saved search :

index=perfmon source="perfmon:cputime" counter="% Processor Time" earliest=-15m | stats avg(Value) as CpuUsage by role,host |where CpuUsage > 10 | join type=left max=0  host [search source="Perfmon:Process"|top limit=5 instance by host|rename instance AS Process|where (Process!="_Total" AND Process!="Idle" AND Process!="System")|fields role,CpuUsage,host,Process]

for this I am unable to get Email alert, following I have added in savedsearch.conf file

action.email = 1
action.email.inline = 1
action.email.sendresults = 1
action.email.to = myemailid@gmail.com 
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
counttype = custom
cron_schedule = */15 * * * *
enableSched = 1

What is wrong need help!!!

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi shreyasathavale,

Check splunkd.log and python.log for any error related to this saved search.
Check that your splunk server is allowed to send out email and/or keep in mind that if you're using a *nix server splunk expects localhost to be the sendmail server.
Also check scheduler.log for alert_action="email" to see if any alert was fired at all and if the email was triggered

hope this helps ...

cheers, MuS

0 Karma

shreyasathavale
Communicator

Ok, thanks.. I will try it and will update it here 🙂

0 Karma

MuS
SplunkTrust
SplunkTrust

check this:

counttype =

Set the type of count for alerting.
Possible values: number of events, number of hosts, number of sources, and always.
You've set it to custom which is not listed as possible values

0 Karma

shreyasathavale
Communicator

Yes, if I run it manually , it gives me the output

0 Karma

MuS
SplunkTrust
SplunkTrust

did you check scheduler.log to see if this search fires alerts at all? does your search produces the expected result if you run it manually?

0 Karma

shreyasathavale
Communicator

Hi, Thanks for replying..but I am getting alert for other searches but not for this..could not fid alert_actions="email" in scheduler.log file 😞

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...