Alerting

Not getting Email Alert for my saved search

shreyasathavale
Communicator

Hi,
Below is my saved search :

index=perfmon source="perfmon:cputime" counter="% Processor Time" earliest=-15m | stats avg(Value) as CpuUsage by role,host |where CpuUsage > 10 | join type=left max=0  host [search source="Perfmon:Process"|top limit=5 instance by host|rename instance AS Process|where (Process!="_Total" AND Process!="Idle" AND Process!="System")|fields role,CpuUsage,host,Process]

for this I am unable to get Email alert, following I have added in savedsearch.conf file

action.email = 1
action.email.inline = 1
action.email.sendresults = 1
action.email.to = myemailid@gmail.com 
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
counttype = custom
cron_schedule = */15 * * * *
enableSched = 1

What is wrong need help!!!

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi shreyasathavale,

Check splunkd.log and python.log for any error related to this saved search.
Check that your splunk server is allowed to send out email and/or keep in mind that if you're using a *nix server splunk expects localhost to be the sendmail server.
Also check scheduler.log for alert_action="email" to see if any alert was fired at all and if the email was triggered

hope this helps ...

cheers, MuS

0 Karma

shreyasathavale
Communicator

Ok, thanks.. I will try it and will update it here 🙂

0 Karma

MuS
SplunkTrust
SplunkTrust

check this:

counttype =

Set the type of count for alerting.
Possible values: number of events, number of hosts, number of sources, and always.
You've set it to custom which is not listed as possible values

0 Karma

shreyasathavale
Communicator

Yes, if I run it manually , it gives me the output

0 Karma

MuS
SplunkTrust
SplunkTrust

did you check scheduler.log to see if this search fires alerts at all? does your search produces the expected result if you run it manually?

0 Karma

shreyasathavale
Communicator

Hi, Thanks for replying..but I am getting alert for other searches but not for this..could not fid alert_actions="email" in scheduler.log file 😞

0 Karma
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...