Alerting

Real Time Alerting

tnconners
Explorer

I'm working on configuring some basic alerts for the a system. This is splunk 5.0.2 on Windows 2008 R2.

The search is very simple:

Source = "E:\Program Files*" High

which returns results every time, now before fine tuning the search I wan to confirm that the alerts will fire correctly through alert manager and SMTP.

My parameters for the alert is as follows:
Start Time rt End time rt

Alert
Condition Always

Alert Mode once per result

no throttling

Expiration 24 hours

Severity High

Send email "valid email address with subject etc"

Tracking enabled

This alert should be overloading my inbox with emails, but it's not showing in alert manager even. The only thing I can think of is we currently have license violations on this instance, but searching and alerting are not yet disabled. The capacity for the day is blown though.

Any help is appreciated!

EDIT: Turned out that we had way to many saved searches (that were no longer relevant since we are making out alerts generic) I cleared them out of the saved searches .conf file and things started running better. I also had upgraded from 5.02 to 5.05.

Thanks for your help everyone!

Tags (1)
0 Karma

jtacy
Builder

There was a problem with 5.0.2 that affected real time alerts and was fixed in 5.0.3. It's in the 5.0.3 release notes as "Real Time Alerts not working consistently in 5.0.2. (SPL-62129)". Might be worth taking a brief outage to upgrade to 5.0.5. Good luck!

0 Karma

lukejadamec
Super Champion

If the search works manually, then it is not a license issue. When you have to many violations in a 30 day period then you can't search at all.

Your start time should be rt-1m
Consider setting the alert condition to trigger on number of results greater than 1.

Don't test the search from the search app, test it by selecting Run from the Manager > Searches and Reports.

You can also reconfigure to run as a scheduled search that runs every minute, and trigger on number of results greater than 1.

lukejadamec
Super Champion

Try creating a new scheduled search from scratch. I had one that behaved like this once, and I had to create a new search to fix it.

0 Karma

tnconners
Explorer

Tried all of your suggestions, Still no luck. I also upgraded as jtacy suggested. It seems like my scheduled searches are never starting. (I've watched the jobs screen).

0 Karma

exd42062
Path Finder

Splunk regulates your license usage by tracking license violations. If you go over 500 MB/day more than 3 times in a 30 day period, Splunk continues to index your data, but disables search functionality until you are back down to 3 or fewer warnings in the 30 day period.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...