Why are alerts not triggered for searches using newly created indexes?

New Member

Hi All,

I get a problem in alert configuration. I find that the alerts can be triggered successfully when the alert is searching the main index, but my newly created indexes are failed to trigger any alerts. Could anyone advise on this issue?

PS: my savedsearch config is under the "search" app with the owner "admin"

Tags (2)
0 Karma

Esteemed Legend

Debug it by logging as user admin and running the alert's search, peeling off piped clauses from the right side until you get data that you expect. There could be a problem with permissions or maybe even the "indexes searched by default" setting; to eliminate the latter, be sure to explicitly sent your index with index=* or similar.

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...