Splunk cloud light: Why does a real-time alert not...

marick · ‎09-18-2015

A real-time alert that looks for 0 events in the last N minutes does not seem to send any email. It does put entries in the triggered alerts log.

The alert contains this data:

trigger condition: "Number of Results is = 0 in 5 minutes."
search condition: processed customer=32323 sourcetype="splunktest-too_small"

We have another alert that triggers whenever "fire_alert" appears in the log. When I trigger that alert, I see index=_internal log spewage of the form

... savedsearch_name="fire_alert", status=success, digest_mode=0, scheduled_time=1442592619, window_time=0, dispatch_time=1442592620, run_time=1830.371, result_count=1, alert_actions="email", ...

There is no similar line in the log when the first real-time alert is triggered.

mosman_splunk · ‎05-12-2016

check your alert_actions.conf and make sure your either you have the correct username and passwrod or your SMTP is white listing you .
good luck

jterry · ‎05-12-2016

hard to say. there may be something wrong w/the mail server or mail config.
try searching for: "index=_internal ERROR"

muebel · ‎10-04-2015

can you add the config from savedsearches.conf? Maybe something is off with the email config. Are you able to use the send email action for any alerts at all?

Splunk cloud light: Why does a real-time alert not seem to send any email, but it appears in the triggered alerts log?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!