Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk alert is not working

btshivanand
Path Finder
‎10-31-2020 01:27 AM

Hi Chaps,

Need some help to understand why the alert is not getting triggered. This alerts query, when executed over 7 days period gives nonzero counts of 6 i.e. greater than 5(Our condition is trigger alert when nonzero counts exceeds 5). I see that alert is not getting even though we have nonzero count is 6.When we checked scheduler log Email action is blank.i have pasted the screen shot for reference.Please help me in this regards.

Below is the query

sourcetype="*" LOG_MESSAGE="Retry*" "Collections.NCS" NOT LOG_MESSAGE="Retry #1 *" | timechart span=10m count | autoregress count p=1-5 | eval nonzero=if(count > 0, if(count_p1 > 0, if(count_p2 > 0, if(count_p3 > 0, if(count_p4 > 0, if(count_p5 > 0, 6, 5), 4), 3), 2), 1), 0) | fields _time, nonzero

 

i see the nonzero counts which exceeds  5.in below screen shot 

 

search query when we ran for over7 days of periodsearch query when we ran for over7 days of period

 

below is the scheduler log.i see alert_action is blank.


10-31-2020 08:10:07.566 +0000 INFO SavedSplunker - savedsearch_id="XXX;search; alert", search_type="", user="XXX", app="search", savedsearch_name="XXXX alert", priority=default, status=success, digest_mode=1, scheduled_time=1604131800, window_time=0, dispatch_time=1604131805, run_time=1.785, result_count=1015, alert_actions="", sid="scheduler__smadan__search__RMD5ab6a869ca92dbacc_at_1604131800_63960_638683B3-25D9-4D2A-AF2E-4E43362FDBFA", suppressed=0, thread_id="AlertNotifierWorker-0", workload_pool=""

 

 

Please find the alert condition:

alert condition.png

 

 

 

 

 

 

 
 

 

 

 

 

Labels (4)
0 Karma
Reply

btshivanand
Path Finder
‎11-02-2020 05:47 AM

trigger condition is send email.please find the above screen shot you see where nonzero counts are exceeding 5.

 

0 Karma
Reply

renjith_nair
Legend
‎11-02-2020 05:29 AM

Have you set the trigger actions? In the screen shot its not visible, also the throttle settings.

Run the same search in search window and add the condition search nonzero > 5 to check the results

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...