Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is alert_action value is 0 or empty but the actual log has "email" value?

vn_g
Path Finder
‎12-08-2020 12:51 AM

Query :

index=_internal sourcetype=scheduler thread_id="AlertNotifier*" "email"
| fillnull

Sample Log :

12-06-2020 08:05:11.189 +0000 INFO SavedSplunker - savedsearch_id="nobody;search;TimeDelayInCiscoEstreamerLogsFromHost-"10.90.78.45"", search_type="", user="abc", app="search", savedsearch_name="TimeDelayInCiscoEstreamerLogsFromHost-"10.90.78.45"", priority=default, status=success, digest_mode=1, scheduled_time=1607241900, window_time=0, dispatch_time=1607241903, run_time=6.113, result_count=2, alert_actions="email", sid="scheduler_dmFybNyaS5hZG1pbkBiY2cuY29t__search__RMD5e388bf8114eaecc6_at_160900_26417_8B358556-EC52-4F41-A194-1A98CFD37560", suppressed=0, thread_id="AlertNotifierWorker-0", workload_pool=""

Issue : Actual log has alert_actions="email" value , when checked in selected fields the value is either 0 or empty even after using fillnull. What does this mean? In which scenarios does this occur? My use case is to find out the number of email alerts triggered in the last 24 hours , but few of them are missing in my report because alert_actions is either showing 0 or empty value.

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎12-08-2020 02:11 AM

For me, query which I have provided working fine in 8.0.4.1 . Do you have any field extractions for field name alert_actions, if it is there then it is overriding default extractions. Check props.conf and transforms.conf for field alert_actions.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎12-08-2020 03:35 AM

@vn_g, the problem seems on source field. Splunk source field for scheduler logs in not "scheduler". It contains full path. Can you please try below query?

index=_internal sourcetype=scheduler alert_actions="*email*"

OR

index=_internal source=*scheduler.log alert_actions="*email*"

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

vn_g
Path Finder
‎12-08-2020 03:52 AM

I tried both the above queries, I still have the same issue.

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎12-08-2020 04:19 AM

So, I agree with @harsmarvania57 , you should check your extractions props.conf and transforms.conf for "scheduler" sourcetype.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎12-08-2020 01:27 AM

Which version of splunk? I am on Splunk 7.2 and I can see alert_actions field populated with correct data.

Can you please try to run below search and check whether you get any result?

 

index=_internal sourcetype=scheduler alert_actions="*email*"

 

EDIT: My mistake instead of source it should be sourcetype in above query which I corrected. Great catch @scelikok 

0 Karma
Reply
Solved! Jump to solution

vn_g
Path Finder
‎12-08-2020 01:44 AM

Version : 8.0.4.1

Query gives below result :index=_internal sourcetype=scheduler "email"
| fillnull

12-06-2020 08:05:11.189 +0000 INFO SavedSplunker - savedsearch_id="nobody;search;TimeDelayInCiscoEstreamerLogsFromHost-"10.90.78.45"", search_type="", user="abc", app="search", savedsearch_name="TimeDelayInCiscoEstreamerLogsFromHost-"10.90.78.45"", priority=default, status=success, digest_mode=1, scheduled_time=1607241900, window_time=0, dispatch_time=1607241903, run_time=6.113, result_count=2, alert_actions="email", sid="scheduler_dmFybNyaS5hZG1pbkBiY2cuY29t__search__RMD5e388bf8114eaecc6_at_160900_26417_8B358556-EC52-4F41-A194-1A98CFD37560", suppressed=0, thread_id="AlertNotifierWorker-0", workload_pool=""

Query : index=_internal source=scheduler alert_actions="*email*"
Above query doesnt give any results.

 

0 Karma
Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎12-08-2020 02:11 AM

For me, query which I have provided working fine in 8.0.4.1 . Do you have any field extractions for field name alert_actions, if it is there then it is overriding default extractions. Check props.conf and transforms.conf for field alert_actions.

0 Karma
Reply
Solved! Jump to solution

vn_g
Path Finder
‎12-08-2020 07:42 AM

Splunk was not auto extracting "alert_actions" field using normal key value pair extractions.

App: search
props.conf
[scheduler]
EXTRACT-alert_action = alert_actions\=\"(?P<alert_actions>.*?)\"

Applying above props solved the issue.

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎12-08-2020 01:04 AM

Hi,

alert_actions="" means there was no actions performed when scheduled search completed. For example: No email alert action, no summary indexing etc.

0 Karma
Reply
Solved! Jump to solution

vn_g
Path Finder
‎12-08-2020 01:19 AM

Yes, but in my case i could see alert_actions="email" in the actual log but when the field and the value are being shown in bottom of the log , because alert_actions is in selected fields , it shows 0 value or doesnt display it because of null value.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...