Hello - I've created a bunch of real-time alerts in Splunk Enterprise 6.52 and want to log each triggered event to an index so I can create a dashboard to show alerts over time. The task seems pretty straight forward ( create alert, add action, log event, etc) however I cannot get this to work. I've created an "alerts" index and have also tried to just forward them to a "summary" index. See screenshot:
Thanks for your help in advance!
Can you try default index? keep index field blank. so it will store the events in default index i.e. index=main
Hi,
I think I am pretty late for this answer.
The problem is that you have a distributted environment and the SH that is the one that create the event cannot send it to the index because it is not defined. It is defined on the IDX.
So you can create a local index in your SH or make an output for that events.
Thank you so much @ccuadrad, You have saved my day.
This was doing my head in and such a simple fix!
Hello - I've created a real-time alerts in Splunk Enterprise 7.1.2 and want to log each triggered event to an index so I can create a dashboard to show alerts over time. The task seems pretty straight forward ( create alert, add action, log event, etc) however I cannot get this to work. I'am trying to redirect this to my existing index
This seems to be not working and i dont have access to main index as per my company's policy . Please help me in logging this event to my custom index.
Looking forward to hear from you.
We are having the same issue. Creating an alert, giving it a logevent action, giving it a triggered_alerts action... but nothing is written to the indicated index, which is a custom index defined within our environment.
I noticed quite a few parameters under 'advanced edit' that are mostly referenced in one of these two places:
https://docs.splunk.com/DocumentationStatic/CshrpSDK/2.2.8/Splunk.Client/html/1c2f4fe3-c78c-40bc-185...
http://dev.splunk.com/view/javascript-sdk/SP-CAAAEKZ
Can anyone help with what parameters need to be defined to:
1. Write to the 'summary' index?
2. Write to custom index 'index_A'?
3. Appear in Triggered Alerts under the activity pulldown in the top nav bar.
Can you try default index? keep index field blank. so it will store the events in default index i.e. index=main
I just set the index pointer to the default main index ...Awaiting the next alert to fire to see if it works. Is this a know bug where the index can't be set to anything but main?
No it is not a bug. When you specify nothing then the event will get store in the default index. And the default index for splunk is main. I hope you have not actually write default
under index pointer . You have to just keep it blank
.
Thanks for checking - I left the field blank.. Seems like a bug to me if the field allows you to point the alerts to alternate indexes (which the option does not appear to work)...
Yes you can definitely specify other indexes for that you need to create a custom index and then specify the same in that index pointer. This is just a try if this work then create a custom index and then specify it over there.
That's the original issue - I created a specific index for Splunk to send the alert machine logs to and it didn't work...Just waiting for an alert to fire to validate the change to the default index worked...
It worked! Not sure
why I cant send the alert logs to a specified index other than the main index, however this will work for my application. Thanks!