Alerting

Why is the Mail Alert notification not working after one month?

saibal6
Path Finder

Hi Experts,

I have triggered Mail alert notification on the real-time format.

I got last email alert notification on 30.06.2018 after that I got an error which is visible in the search result but didn't get any mail notification for that.

Even I got that errors when I searched with "all time" option but didn't get that same errors when it was in "within 7 days" option.

Can anyone help me?

Please let me know if you have any queries.

0 Karma
1 Solution

RHASQaL
Path Finder

Hi

I suspect this may be a date format issue, in my experience if something was working before the month changed and fails in the new month (usually for an input defined fairly recently), Splunk is possibly misinterpreting the date and indexing the data for yesterday as 7th January 2018, todays data as 7th February 2018.

You probably need to set the TIME_FORMAT attribute in the appropriate props.conf stanza to recognize your timestamp correctly. The Getting Data in documentation has a section on this.

View solution in original post

RHASQaL
Path Finder

Hi

I suspect this may be a date format issue, in my experience if something was working before the month changed and fails in the new month (usually for an input defined fairly recently), Splunk is possibly misinterpreting the date and indexing the data for yesterday as 7th January 2018, todays data as 7th February 2018.

You probably need to set the TIME_FORMAT attribute in the appropriate props.conf stanza to recognize your timestamp correctly. The Getting Data in documentation has a section on this.

saibal6
Path Finder

Thank you @RHASQaL

I got you point and this is the only reason why my alerts are not working.

But I have multiple sources, hosts and even my source types are not fix one.

So can you give me any suggestion which will fix my issue in search result line?

Please attach the link if you have

0 Karma

RHASQaL
Path Finder

I suspect due to my lowly rating that any links I include are being dropped from my Answers/comments. The link I tried to include for the Getting Data In documentation was http://docs.splunk.com/Documentation/Splunk/7.1.1/Data/Configuretimestamprecognition#Edit_timestamp_...

I think Splunk unless otherwise told expects the timestamp format to be a US date format e.g. mm/dd/yyyy hh:mm:ss (or something similar). Here in the UK it seems advisable to specify a TIME_FORMAT for all inputs, as invariably Splunk misinterprets the date/time field and can index the data with the incorrect timestamp.

To be more specific I'd need to see an example of the timestamp in the source data, and some details about the source, sourcetype defined in Splunk.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...