Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Re: Why is the Mail Alert notification not working...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Experts,
I have triggered Mail alert notification on the real-time format.
I got last email alert notification on 30.06.2018 after that I got an error which is visible in the search result but didn't get any mail notification for that.
Even I got that errors when I searched with "all time" option but didn't get that same errors when it was in "within 7 days" option.
Can anyone help me?
Please let me know if you have any queries.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I suspect this may be a date format issue, in my experience if something was working before the month changed and fails in the new month (usually for an input defined fairly recently), Splunk is possibly misinterpreting the date and indexing the data for yesterday as 7th January 2018, todays data as 7th February 2018.
You probably need to set the TIME_FORMAT attribute in the appropriate props.conf stanza to recognize your timestamp correctly. The Getting Data in documentation has a section on this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I suspect this may be a date format issue, in my experience if something was working before the month changed and fails in the new month (usually for an input defined fairly recently), Splunk is possibly misinterpreting the date and indexing the data for yesterday as 7th January 2018, todays data as 7th February 2018.
You probably need to set the TIME_FORMAT attribute in the appropriate props.conf stanza to recognize your timestamp correctly. The Getting Data in documentation has a section on this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @RHASQaL
I got you point and this is the only reason why my alerts are not working.
But I have multiple sources, hosts and even my source types are not fix one.
So can you give me any suggestion which will fix my issue in search result line?
Please attach the link if you have
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suspect due to my lowly rating that any links I include are being dropped from my Answers/comments. The link I tried to include for the Getting Data In documentation was http://docs.splunk.com/Documentation/Splunk/7.1.1/Data/Configuretimestamprecognition#Edit_timestamp_...
I think Splunk unless otherwise told expects the timestamp format to be a US date format e.g. mm/dd/yyyy hh:mm:ss (or something similar). Here in the UK it seems advisable to specify a TIME_FORMAT for all inputs, as invariably Splunk misinterprets the date/time field and can index the data with the incorrect timestamp.
To be more specific I'd need to see an example of the timestamp in the source data, and some details about the source, sourcetype defined in Splunk.
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
