Alerting

Why are my alerts not being triggered?

Explorer

I have an alert that I created. When I click "Open in Search and trigger the event, it shows up in the search window, but the event does not trigger the alert (send e-mail, execute the script, or show up in Triggered Alerts).

The alert is in the savedsearches.conf file in system/local and shows up with the Owner as "nobody", the App as "system" and Sharing as "Global".

What can I do to fix this problem? I have several alerts and it appears that none of them are working properly at this time.

UPDATE: It appears the number of searches may be partially responsible. When I have just one real-time alert in the savedsearches.conf file it appears to work correctly, but when I get up to 6, it stops working. The requirements being fulfilled by Splunk require as many as 14 real time searches to trigger alerts when necessary, so I definitely need some kind of solution to this problem.

1 Solution

SplunkTrust
SplunkTrust

Manually running the search isn't supposed to trigger the alert action, you need to wait for a scheduled run... not sure if that's what's missing here though, do elaborate if not.

View solution in original post

Path Finder

Try searching Splunk for index=_internal source="/opt/splunk/var/log/splunk/scheduler.log" status!=success OR NOT INFO.

You can also search directly in scheduler.log.

Explorer

Thank you! index=_internal source=*scheduler.log status!=success OR NOT INFO savedsearch_name="[name of saved search here]" | dedup reason | table reason In my case, reason == "maxRtsearches limit reached"

0 Karma

SplunkTrust
SplunkTrust

Manually running the search isn't supposed to trigger the alert action, you need to wait for a scheduled run... not sure if that's what's missing here though, do elaborate if not.

View solution in original post

SplunkTrust
SplunkTrust

Great. For future growth, there should be logs in _internal stating that this limit has been reached... I think. If you found those you could consider setting up a (non-realtime) alert for them to add more cores / add more search heads / increase the limit.

0 Karma

Explorer

That did the trick. I changed basemaxsearches and maxrtsearch_multiplier and now they're all showing up in Jobs and my test one is responding properly.

SplunkTrust
SplunkTrust

There are two limits to be concerned about here, one is the number of real-time searches your user can run (see Settings -> Authentication -> Roles), the other is the number of real-time searches your Search Head can run (see limits.conf, depends on the number of cores your SH has).

Not sure how the limit for the nobody user is calculated though.

Explorer

It appears the number of searches may be partially responsible. When I have just one real-time alert in the savedsearches.conf file it appears to work correctly, but when I get up to 6, it stops working. The requirements being fulfilled by Splunk require as many as 14 real time searches to trigger alerts when necessary, so I definitely need some kind of solution to this problem.

0 Karma

SplunkTrust
SplunkTrust

Yeah, running in system/local isn't such a great idea... however, if they're still not running if moved to an app context then there's gotta be an error message for that that's different from the system/local one.

0 Karma

Explorer

I see 8 searches in the Jobs view, but not one for each of my alerts. Four have their status marked as "Done", while 4 others (which are some of my alerts, but not the one I'm using for testing) have the status "Running (100%).

I see an entry in the scheduler log indicating that it cannot execute scheduled searches that live at the system level for some reason, but I'm getting the same behavior regardless of whether my savedsearches.conf file is in apps/search/local or system/local (with a restart after moving the file so the searches are moved into an app context).

0 Karma

SplunkTrust
SplunkTrust

I see. There's a huge list of things that could be going wrong. Is the search running in the job inspector and showing results? What's the trigger condition and similar configs for the alert? Anything suspicious / erroring in _internal?

0 Karma

Explorer

The search for the alert is real-time, not scheduled. I'm just using the fact that the entry is showing up in search using the same criteria to prove to myself that the event was received.

0 Karma