Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk alert no results

sonila
Path Finder
‎05-09-2017 04:43 AM

alt text

I have made an email alert. but when i click to view events on triggered alert i see no results. why this happens? how can i show the results?

Tags (3)
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎05-12-2017 03:40 PM

The only thing that I can think of is that your events are expiring between when the alert hits and when you double-check. This should tell you what the oldest event still in the index is. It should be weeks, if not months old but maybe it is hours or days old.

|metadata type=sourcetypes | search sourcetype=log4net
0 Karma
Reply

woodcock
Esteemed Legend
‎05-10-2017 09:20 AM

Usually when I have stuff that "tests OK" in an ad-hoc search but fails in a scheduled search it is due to pipeline latency. Check out the values of _indextime - _time for your events. These should be positive and no more than 300ish.

0 Karma
Reply

sonila
Path Finder
‎05-10-2017 01:15 PM

And what do you recommend after checking the values of _indextime - _time
_indextime - _time is less than 0 to my indexed data. What should i do?
_indextime - _time is around -9.581

0 Karma
Reply

woodcock
Esteemed Legend
‎05-11-2017 01:39 PM

Since the magnatude is so low, the problem is surely that your forwarders and/or indexers are not using NTP and have drifted from true. To see if it is your indexers, try this:

| rest /services/server/info 
| eval updated_t=round(strptime(updated, "%Y-%m-%dT%H:%M:%S%z")) 
| eval delta_t=now()-updated_t 
| eval delta=tostring(abs(delta_t), "duration") 
| table serverName, updated, updated_t, delta, delta_t

If delta is anything other than about 00:00:01 (which is easy to account for when processing a lot of indexers), you have clock skew and are a naughty boy because you should have setup NTP on your indexers.

NOTE: this IS a problem, but it is not the problem that you were asking about.

0 Karma
Reply

sonila
Path Finder
‎05-11-2017 02:39 PM

delta is 00:00:00 and _indextime - _time is around 9.581 it is positive

0 Karma
Reply

woodcock
Esteemed Legend
‎05-11-2017 03:23 PM

In that case never mind this whole answer.

0 Karma
Reply

sonila
Path Finder
‎05-12-2017 12:27 AM

can you help me about my problem why i dont see results in splunk?

0 Karma
Reply

kmaron
Motivator
‎05-09-2017 06:20 AM

Your trigger times in the capture show 12:27 to 12:34 but your search shows 1:11 to 1:21. Is it possible that there were no triggered events between 1:11 and 1:21? What if you change your search time frame to the 12:27-12:34?

0 Karma
Reply

sonila
Path Finder
‎05-09-2017 02:55 PM

I tried but no result again

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...