Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Re: Simple alert still does not fire
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone,
I had trouble last year making a simple alert work in Splunk (topic: "Simple alert not working?"). I could not make it work so I used Python SDK and alerted using python. Now I want to try to make Splunk alert again. I have tried many simple tests, and I have never successfully made an alert fire. I must be doing something simple wrong.
I have streaming data that comes constantly. Can anyone suggest a trivial alert test I can try that can work?
For example, I try a search for all data on my index and get hundreds of results in most recent few minutes. Then I click "save as" and select "alert". I select to have alert type scheduled from Cron Schedule, and tell it to run every minute (* * * * *). I choose "trigger alert when" I select "number of results" and select "is greater than" with value "0". For trigger action I ask it to send me an e-mail.
I save the alert and it appears in my alerts list. But no longer how long I wait I never get an e-mail and the alert always says "There are no fired events for this alert". I have tried other Cron selections. I have also tried using "Real-time" instead of Cron Schedule, but it still does not fire.
Does anyone know how to make it fire?
Thank you very much for any help,
Pelin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
|noop|stats count|eval count = count + 1
Then trigger your alert to fire for Number of events greater than 0 and set it for every 5 minutes. Don't assume the email will to through but check for triggered alerts from the Alerts screen.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
|noop|stats count|eval count = count + 1
Then trigger your alert to fire for Number of events greater than 0 and set it for every 5 minutes. Don't assume the email will to through but check for triggered alerts from the Alerts screen.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much! I made this work on a different server. My first server has problems right now. Will try there too when it is working again.
But the e-mail does not work now. It is listed in the triggered alerts like you said. But no e-mail was sent. Do you know why the e-mail might not be working?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you have admin privileges on your Search Head, go to Settings -> Server settings -> Email settings. Here is blog that shows how to use gmail:
http://blogs.splunk.com/2014/06/27/splunk-alerts-using-gmail-twitter-phone-calls-and-much-more/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much, it worked!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
don't forget to click "Accept".
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
