Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk alert is not working

btshivanand
Path Finder
‎10-31-2020 01:27 AM

Hi Chaps,

Need some help to understand why the alert is not getting triggered. This alerts query, when executed over 7 days period gives nonzero counts of 6 i.e. greater than 5(Our condition is trigger alert when nonzero counts exceeds 5). I see that alert is not getting even though we have nonzero count is 6.When we checked scheduler log Email action is blank.i have pasted the screen shot for reference.Please help me in this regards.

Below is the query

sourcetype="*" LOG_MESSAGE="Retry*" "Collections.NCS" NOT LOG_MESSAGE="Retry #1 *" | timechart span=10m count | autoregress count p=1-5 | eval nonzero=if(count > 0, if(count_p1 > 0, if(count_p2 > 0, if(count_p3 > 0, if(count_p4 > 0, if(count_p5 > 0, 6, 5), 4), 3), 2), 1), 0) | fields _time, nonzero

 

i see the nonzero counts which exceeds  5.in below screen shot 

 

search query when we ran for over7 days of periodsearch query when we ran for over7 days of period

 

below is the scheduler log.i see alert_action is blank.


10-31-2020 08:10:07.566 +0000 INFO SavedSplunker - savedsearch_id="XXX;search; alert", search_type="", user="XXX", app="search", savedsearch_name="XXXX alert", priority=default, status=success, digest_mode=1, scheduled_time=1604131800, window_time=0, dispatch_time=1604131805, run_time=1.785, result_count=1015, alert_actions="", sid="scheduler__smadan__search__RMD5ab6a869ca92dbacc_at_1604131800_63960_638683B3-25D9-4D2A-AF2E-4E43362FDBFA", suppressed=0, thread_id="AlertNotifierWorker-0", workload_pool=""

 

 

Please find the alert condition:

alert condition.png

 

 

 

 

 

 

 
 

 

 

 

 

Labels (5)
0 Karma
Reply

btshivanand
Path Finder
‎11-02-2020 05:47 AM

trigger condition is send email.please find the above screen shot you see where nonzero counts are exceeding 5.

 

0 Karma
Reply

renjith_nair
Legend
‎11-02-2020 05:29 AM

Have you set the trigger actions? In the screen shot its not visible, also the throttle settings.

Run the same search in search window and add the condition search nonzero > 5 to check the results

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...