Alerting

alert_actions.conf being ignored

Explorer

I have an alert_actions.conf file that is pushed out to our search heads via deployment server. All of the settings (hostname, mailserver, from) are being ignored when in the app context. If I move the same file into $SPLUNK_HOME/etc/system/local, everything works.

I ran "splunk cmd btool alert_actions list" and the output is identical no matter where I put alert_actions.conf. In both cases, it looks like the settings are correct.

Any ideas on why this doesn't work?

Tags (1)

Communicator

Add a local.meta file to "alertactionappname/metadata" with the following stanza:

[]
export = system

this will do the job and solve the problem

Path Finder

Antonio (my splunk homey) went through this - the answer is in precedence and I don't think it's a bug.

See
docs.splunk.com/Documentation/Splunk/6.0.1/admin/Wheretofindtheconfigurationfiles

alert_actions.conf is effective at app/user scope - not global.

if you deliver alert_actions.conf to an instance in an app ON ITS OWN - it will have no effect.

If you deliver it into an app which has search configurations (where you are generating reports you wish to email) - it works exactly as defined.

The access URL tells you which scope you're in. I have put an alert_actions.conf in
$SPLUNK_HOME/etc/apps/dbx/local.

I can configure it from the GUI if I want from this url:
h-t-t-p://instance:8000/en-US/manager/dbx/admin/alert_actions/email?action=edit

If I want to email searches from within the search app - I must place the file in
$SPLUNK_HOME/etc/apps/search/local

and i configure it from the gui using this URL:
h-t-t-p://instance:8000/en-US/manager/search/admin/alert_actions/email?action=edit

Its scope of effect is 'app/user', not global.

A user can provide his own alert_actions.conf - but again, it's in the userdir for a specific app, not for all apps.

Gavs

Ultra Champion

Any thoughts on if it can be made global using an export = system in the default.meta of a custom app?

0 Karma

Path Finder

It is highly unlikely splunk changed the precedence rules for that file between releases. Antonio tested it on 5.* and saw the same behaviour...

0 Karma

Ultra Champion

That may be for 6*, but is it different for 5*?

0 Karma

Splunk Employee
Splunk Employee

SPL-55476 was never validated and it is not a valid bug.
I have it working on 5.0.5, splunk is connecting to mailserver indicated below

ON DS

/opt/SPLUNK/5.0.5-DS/splunk $ cat etc/deployment-apps/testDeployApp/local/alert_actions.conf 
[email]
auth_password = $1$d2gP+53E8tz
auth_username = myemail@mailprovider.com
mailserver = smtp.mailprovider.com:2500
reportServerURL = 
from = myemail@mailprovider.com

ON DC

   /opt/SPLUNK/5.0.5-DC/splunk/bin $ ./splunk btool alert_actions list email --debug | egrep -o 'alert_action.*' | egrep -v command
alert_actions.conf [email]
alert_actions.conf auth_password = $1$ndCtP+qYE8tz
alert_actions.conf auth_username = myemail@mailprovider.com
alert_actions.conf           bcc = 
alert_actions.conf           cc = 
alert_actions.conf           format = html
alert_actions.conf from = myemail@mailprovider.com
alert_actions.conf           hostname = 
alert_actions.conf           inline = 0
alert_actions.conf mailserver = smtp.mailprovider.com:2500
alert_actions.conf           maxresults = 10000
alert_actions.conf           maxtime = 5m
alert_actions.conf           pdfview = 
alert_actions.conf           preprocess_results = 
alert_actions.conf           reportCIDFontList = gb cns jp kor
alert_actions.conf           reportIncludeSplunkLogo = 1
alert_actions.conf           reportPaperOrientation = portrait
alert_actions.conf           reportPaperSize = letter
alert_actions.conf           reportServerEnabled = false
alert_actions.conf reportServerURL = 
alert_actions.conf           sendpdf = 0
alert_actions.conf           sendresults = 0
alert_actions.conf           subject = Splunk Alert: $name$
alert_actions.conf           to = 
alert_actions.conf           track_alert = 1
alert_actions.conf           ttl = 86400
alert_actions.conf           use_ssl = 0
alert_actions.conf           use_tls = 0
alert_actions.conf           width_sort_columns = 1

Explorer

ddeighton,

I found the same exact issue on my Splunk Server. This seems to be a bug with Splunk where the Splunk Search Head only recognizes alert_actions.conf in the local (/opt/splunk/etc/system/local) config directory.

Submitted a bug report.

Ultra Champion

I don't see SPL-55476 listed on docs.splunk.com. Has this been listed as a known issue or fixed? http://docs.splunk.com/Special:SplunkSearch/docs?q=SPL-55476

0 Karma

Splunk Employee
Splunk Employee

Splunk bug SPL-55476 was created to address this issue. Thanks everyone that continues to reference this answer post.

0 Karma

Explorer

Support Case # 84640 for this issue.

0 Karma

Champion

@ddeighton it might be an idea for you to also file a bug report just so Splunk are aware it is aflicting more than one user, also they may find multiple data sources on the bug helpful -> https://www.splunk.com/page/submit_issue if @cbowles could share his support ref then you could include that within your ticket so they can link the two issues quickly.

0 Karma

Explorer

Thanks, cbowles, for confirming the problem and filing the bug report.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!