Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Not getting Email Alert for my saved search

shreyasathavale
Communicator
‎04-25-2014 03:34 AM

Hi,
Below is my saved search :

index=perfmon source="perfmon:cputime" counter="% Processor Time" earliest=-15m | stats avg(Value) as CpuUsage by role,host |where CpuUsage > 10 | join type=left max=0  host [search source="Perfmon:Process"|top limit=5 instance by host|rename instance AS Process|where (Process!="_Total" AND Process!="Idle" AND Process!="System")|fields role,CpuUsage,host,Process]

for this I am unable to get Email alert, following I have added in savedsearch.conf file

action.email = 1
action.email.inline = 1
action.email.sendresults = 1
action.email.to = myemailid@gmail.com 
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
counttype = custom
cron_schedule = */15 * * * *
enableSched = 1

What is wrong need help!!!

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎04-25-2014 04:54 AM

Hi shreyasathavale,

Check splunkd.log and python.log for any error related to this saved search.
Check that your splunk server is allowed to send out email and/or keep in mind that if you're using a *nix server splunk expects localhost to be the sendmail server.
Also check scheduler.log for alert_action="email" to see if any alert was fired at all and if the email was triggered

hope this helps ...

cheers, MuS

0 Karma
Reply

shreyasathavale
Communicator
‎04-25-2014 06:50 AM

Ok, thanks.. I will try it and will update it here 🙂

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎04-25-2014 06:46 AM

check this:

counttype =

Set the type of count for alerting.
Possible values: number of events, number of hosts, number of sources, and always.
You've set it to custom which is not listed as possible values

0 Karma
Reply

shreyasathavale
Communicator
‎04-25-2014 06:43 AM

Yes, if I run it manually , it gives me the output

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎04-25-2014 06:39 AM

did you check scheduler.log to see if this search fires alerts at all? does your search produces the expected result if you run it manually?

0 Karma
Reply

shreyasathavale
Communicator
‎04-25-2014 06:26 AM

Hi, Thanks for replying..but I am getting alert for other searches but not for this..could not fid alert_actions="email" in scheduler.log file 😞

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...