Alerting

Why my mail alerts are not running?

ASISH_9
Engager

I have created a alert that sends 100 results to 100 indivisuals. The alert mode was kept as "Once per result".But each time it is triggered,it runs for 4 minutes and within that time only 4 people get the alert and rest don't.
Please suggest to fix this problem

Tags (1)
0 Karma

woodcock
Esteemed Legend

It is entirely likely that the problem is that you are being throttled by your email system itself. The best way to handle this is to create an email distribution list in your email system so that you send to 1 email address and the email system distributes to everyone else. Many enterprise companies use xMatters and Splunk integrates with this well:

https://splunkbase.splunk.com/app/2901/

Also, Once per result will send 100 emails to 100 people with 1 event in each email which is surely not what you desire; change to the other setting to send 1 email to 100 people with 100 events in each email.

0 Karma

ASISH_9
Engager

I am providing here an illustration of my search that would run as an alert:

EnterpriseID ReportingMonth BookedHours WorkingHours Email SupervisorID
a.b.c May,2017 12 20 a.b.c@gmail.com a.x@gmail.com

d.e.f May,2017 20 20 d.e.f@gmail.com a.1@gmail.com
d.e.g May,2017 19 20 d.e.g@gmail.com a.2@gmail.com

The query is written in such a way that this quuery will send the booked hours and working hours result only to those who have booked hours less than working hours.
Since individuals need to get the result here,so i have kept the alert mode as "Once per Result".I cannot use Once per search here.
The problem is the alert only runs for 5 minutes and only send 4-5 results within those 5 minutes and then it expires.
But i need all those who satisfy the mentioned condition to receive the mail alert.
Please do the needful

0 Karma

woodcock
Esteemed Legend

How are you getting it to send to each user and not to all users? Are you using tokens? Show the entire search and the alert settings and maybe we can help (or devise an alternative).

0 Karma

ASISH_9
Engager

Like i said,
If email is a.b.c@gmail.com the booked hours is 12 and working hours is 20.
Since booked hours is less so an email should be sent from server to his mail notifying this.
I cannot send it to all users at a time (which is "Once per search" mode in mail settings) since every user must get his/her individual alerts.

0 Karma

ASISH_9
Engager

I am providing below a summary of my query:

"|Query for calculating the number of days in a week|append[|Macro for bringing out latest values from TicketMaster source]
|joining a primary key with another macro for calculating booked hours of respective employee|eval Email=employee+"@domain.com"|
A Search command to extract those employees from the table whose booked hours is less than working hour

note:working hours is calculated from the first statement of the query "Query for calculating the number of days in a week"."

This query gives a table which contains Employee Id,booked hours ,working hours respective domain and email id along with their supervisor's Id.This sends an alert to those employees who are mentioned in the table (which is generated by above query).

Here are my mail settings:
Expiration:after 24 hours
Severity:Critical
Schedule type : Cron
Cron Schedule:runs the alert every day except weekends "10 12 * * 1-5"
alert mode:Once Per Result
alert conditions:Always
Throttling checkbox:not checked
Alert Actions checkbox:checked
To field: $result.Email$
cc:$result.SupervisorId$

0 Karma

ASISH_9
Engager

Actually my mail alert sends to 100 individuals so i kept the mode as Once Per Result

0 Karma

ASISH_9
Engager

And in my output i am bringing a column email id.Based on this i am sending one mail to different individuals with their respective result.So i cant use here "Once Per Search " mode

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...