hello,
I just started with splunk and I need your help. I am not sure why alerts not working for me
this is an example ( looking for ping event + PowerShell )
I set up to send an email to my inbox ( Do i need to configure stmp or something? or it will working without any configuration?)
also I cant see anything in Alet tab - just a comment > There are no fired events for this alert.
I am not sure what I am doing wrong, please help me if you can! Many thanks
( I have 60days free splunk)
thank you
When you are using real-time alert (really you never need to use real-time alerts, those usually generates more issues than solves) it's fire only when there is coming a new events not for those which you have already indexed. I propose that you change this to "historic" alert where you define time slot from where you are looking those events and then add regular time when splunk has running it (cron or regularly one a hour/day etc.).
r. Ismo
@Pablo00 - Alerting is one of the feature which is not available in free license.
https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/MoreaboutSplunkFree
-------
I hope this helps!! Kindly upvote if it does.!!!
thanks, so this is even for Enterprise Trial? I just registered and downloaded so i thought i would be able to use all the features.
"When you first download and install Splunk Enterprise, an Enterprise Trial license is created and enabled by default. You can continue to use the Enterprise Trial license until it expires, or switch to the Free license right away depending on your requirements."
so i understand no alerts via email but also no alerts in Splunk alerts tab as well?
please read this comment ( after trail will end)
Hi
Unless you can send email from your server/workstations command line you must configure SMTP settings. You could found those on Settings -> Server Settings -> Email Settings. It's default is just use it's server's local email server (which you haven't in laptop/workstation and maybe not configured in your servers too).
r. Ismo
Thank you!
so email alerts are a bit advanced then. I will try to do it anyway (as I have access to azure cloud subscription)
but I am wondering why I am not able to see any alerts in web app? (when i go to search i am able to see events, so alert should be triggered?)
many thanks
When you are using real-time alert (really you never need to use real-time alerts, those usually generates more issues than solves) it's fire only when there is coming a new events not for those which you have already indexed. I propose that you change this to "historic" alert where you define time slot from where you are looking those events and then add regular time when splunk has running it (cron or regularly one a hour/day etc.).
r. Ismo
Thank you for your help. I understand that now!
very much appreciated 🙂