Hi,
Below is my saved search :
index=perfmon source="perfmon:cputime" counter="% Processor Time" earliest=-15m | stats avg(Value) as CpuUsage by role,host |where CpuUsage > 10 | join type=left max=0 host [search source="Perfmon:Process"|top limit=5 instance by host|rename instance AS Process|where (Process!="_Total" AND Process!="Idle" AND Process!="System")|fields role,CpuUsage,host,Process]
for this I am unable to get Email alert, following I have added in savedsearch.conf file
action.email = 1
action.email.inline = 1
action.email.sendresults = 1
action.email.to = myemailid@gmail.com
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
counttype = custom
cron_schedule = */15 * * * *
enableSched = 1
What is wrong need help!!!
Hi shreyasathavale,
Check splunkd.log and python.log for any error related to this saved search.
Check that your splunk server is allowed to send out email and/or keep in mind that if you're using a *nix server splunk expects localhost to be the sendmail server.
Also check scheduler.log for alert_action="email"
to see if any alert was fired at all and if the email was triggered
hope this helps ...
cheers, MuS
Ok, thanks.. I will try it and will update it here 🙂
check this:
counttype =
Set the type of count for alerting.
Possible values: number of events, number of hosts, number of sources, and always.
You've set it to custom
which is not listed as possible values
Yes, if I run it manually , it gives me the output
did you check scheduler.log to see if this search fires alerts at all? does your search produces the expected result if you run it manually?
Hi, Thanks for replying..but I am getting alert for other searches but not for this..could not fid alert_actions="email" in scheduler.log file 😞