Alerting

Why is the triggered alert not logging event to index?

dcascione
Explorer

Hello - I've created a bunch of real-time alerts in Splunk Enterprise 6.52 and want to log each triggered event to an index so I can create a dashboard to show alerts over time. The task seems pretty straight forward ( create alert, add action, log event, etc) however I cannot get this to work. I've created an "alerts" index and have also tried to just forward them to a "summary" index. See screenshot:alt text

Thanks for your help in advance!

0 Karma
1 Solution

mayurr98
Super Champion

Can you try default index? keep index field blank. so it will store the events in default index i.e. index=main

View solution in original post

0 Karma

ccuadrad
Engager

Hi,

I think I am pretty late for this answer.

The problem is that you have a distributted environment and the SH that is the one that create the event cannot send it to the index because it is not defined. It is defined on the IDX.

So you can create a local index in your SH or make an output for that events.

MKozanic
Path Finder

Thank you so much @ccuadrad, You have saved my day.

This was doing my head in and such a simple fix!

0 Karma

iamsgsn
New Member

Hello - I've created a real-time alerts in Splunk Enterprise 7.1.2 and want to log each triggered event to an index so I can create a dashboard to show alerts over time. The task seems pretty straight forward ( create alert, add action, log event, etc) however I cannot get this to work. I'am trying to redirect this to my existing index

This seems to be not working and i dont have access to main index as per my company's policy . Please help me in logging this event to my custom index.

Looking forward to hear from you.

0 Karma

gurlest
Path Finder

We are having the same issue. Creating an alert, giving it a logevent action, giving it a triggered_alerts action... but nothing is written to the indicated index, which is a custom index defined within our environment.

I noticed quite a few parameters under 'advanced edit' that are mostly referenced in one of these two places:
https://docs.splunk.com/DocumentationStatic/CshrpSDK/2.2.8/Splunk.Client/html/1c2f4fe3-c78c-40bc-185...
http://dev.splunk.com/view/javascript-sdk/SP-CAAAEKZ

Can anyone help with what parameters need to be defined to:
1. Write to the 'summary' index?
2. Write to custom index 'index_A'?
3. Appear in Triggered Alerts under the activity pulldown in the top nav bar.

0 Karma

mayurr98
Super Champion

Can you try default index? keep index field blank. so it will store the events in default index i.e. index=main

0 Karma

dcascione
Explorer

I just set the index pointer to the default main index ...Awaiting the next alert to fire to see if it works. Is this a know bug where the index can't be set to anything but main?

0 Karma

mayurr98
Super Champion

No it is not a bug. When you specify nothing then the event will get store in the default index. And the default index for splunk is main. I hope you have not actually write default under index pointer . You have to just keep it blank.

0 Karma

dcascione
Explorer

Thanks for checking - I left the field blank.. Seems like a bug to me if the field allows you to point the alerts to alternate indexes (which the option does not appear to work)...

0 Karma

mayurr98
Super Champion

Yes you can definitely specify other indexes for that you need to create a custom index and then specify the same in that index pointer. This is just a try if this work then create a custom index and then specify it over there.

0 Karma

dcascione
Explorer

That's the original issue - I created a specific index for Splunk to send the alert machine logs to and it didn't work...Just waiting for an alert to fire to validate the change to the default index worked...

0 Karma

dcascione
Explorer

It worked! Not sure
why I cant send the alert logs to a specified index other than the main index, however this will work for my application. Thanks!

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...