Alerting

Not getting Email Alert for my saved search

shreyasathavale
Communicator

Hi,
Below is my saved search :

index=perfmon source="perfmon:cputime" counter="% Processor Time" earliest=-15m | stats avg(Value) as CpuUsage by role,host |where CpuUsage > 10 | join type=left max=0  host [search source="Perfmon:Process"|top limit=5 instance by host|rename instance AS Process|where (Process!="_Total" AND Process!="Idle" AND Process!="System")|fields role,CpuUsage,host,Process]

for this I am unable to get Email alert, following I have added in savedsearch.conf file

action.email = 1
action.email.inline = 1
action.email.sendresults = 1
action.email.to = myemailid@gmail.com 
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
counttype = custom
cron_schedule = */15 * * * *
enableSched = 1

What is wrong need help!!!

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi shreyasathavale,

Check splunkd.log and python.log for any error related to this saved search.
Check that your splunk server is allowed to send out email and/or keep in mind that if you're using a *nix server splunk expects localhost to be the sendmail server.
Also check scheduler.log for alert_action="email" to see if any alert was fired at all and if the email was triggered

hope this helps ...

cheers, MuS

0 Karma

shreyasathavale
Communicator

Ok, thanks.. I will try it and will update it here 🙂

0 Karma

MuS
SplunkTrust
SplunkTrust

check this:

counttype =

Set the type of count for alerting.
Possible values: number of events, number of hosts, number of sources, and always.
You've set it to custom which is not listed as possible values

0 Karma

shreyasathavale
Communicator

Yes, if I run it manually , it gives me the output

0 Karma

MuS
SplunkTrust
SplunkTrust

did you check scheduler.log to see if this search fires alerts at all? does your search produces the expected result if you run it manually?

0 Karma

shreyasathavale
Communicator

Hi, Thanks for replying..but I am getting alert for other searches but not for this..could not fid alert_actions="email" in scheduler.log file 😞

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...