Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Real Time Alerting

tnconners
Explorer
‎10-11-2013 11:22 AM

I'm working on configuring some basic alerts for the a system. This is splunk 5.0.2 on Windows 2008 R2.

The search is very simple:

Source = "E:\Program Files*" High

which returns results every time, now before fine tuning the search I wan to confirm that the alerts will fire correctly through alert manager and SMTP.

My parameters for the alert is as follows:
Start Time rt End time rt

Alert
Condition Always

Alert Mode once per result

no throttling

Expiration 24 hours

Severity High

Send email "valid email address with subject etc"

Tracking enabled

This alert should be overloading my inbox with emails, but it's not showing in alert manager even. The only thing I can think of is we currently have license violations on this instance, but searching and alerting are not yet disabled. The capacity for the day is blown though.

Any help is appreciated!

EDIT: Turned out that we had way to many saved searches (that were no longer relevant since we are making out alerts generic) I cleared them out of the saved searches .conf file and things started running better. I also had upgraded from 5.02 to 5.05.

Thanks for your help everyone!

Tags (1)
0 Karma
Reply

jtacy
Builder
‎10-13-2013 01:26 PM

There was a problem with 5.0.2 that affected real time alerts and was fixed in 5.0.3. It's in the 5.0.3 release notes as "Real Time Alerts not working consistently in 5.0.2. (SPL-62129)". Might be worth taking a brief outage to upgrade to 5.0.5. Good luck!

0 Karma
Reply

lukejadamec
Super Champion
‎10-13-2013 03:55 AM

If the search works manually, then it is not a license issue. When you have to many violations in a 30 day period then you can't search at all.

Your start time should be rt-1m
Consider setting the alert condition to trigger on number of results greater than 1.

Don't test the search from the search app, test it by selecting Run from the Manager > Searches and Reports.

You can also reconfigure to run as a scheduled search that runs every minute, and trigger on number of results greater than 1.

Reply

lukejadamec
Super Champion
‎10-15-2013 09:37 AM

Try creating a new scheduled search from scratch. I had one that behaved like this once, and I had to create a new search to fix it.

0 Karma
Reply

tnconners
Explorer
‎10-14-2013 10:54 AM

Tried all of your suggestions, Still no luck. I also upgraded as jtacy suggested. It seems like my scheduled searches are never starting. (I've watched the jobs screen).

0 Karma
Reply

exd42062
Path Finder
‎10-12-2013 06:31 PM

Splunk regulates your license usage by tracking license violations. If you go over 500 MB/day more than 3 times in a 30 day period, Splunk continues to index your data, but disables search functionality until you are back down to 3 or fewer warnings in the 30 day period.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...