Alerting

alert_actions.conf being ignored

Explorer

I have an alert_actions.conf file that is pushed out to our search heads via deployment server. All of the settings (hostname, mailserver, from) are being ignored when in the app context. If I move the same file into $SPLUNK_HOME/etc/system/local, everything works.

I ran "splunk cmd btool alert_actions list" and the output is identical no matter where I put alert_actions.conf. In both cases, it looks like the settings are correct.

Any ideas on why this doesn't work?

Tags (1)

Communicator

Add a local.meta file to "alertactionappname/metadata" with the following stanza:

[]
export = system

this will do the job and solve the problem

Path Finder

Antonio (my splunk homey) went through this - the answer is in precedence and I don't think it's a bug.

See
docs.splunk.com/Documentation/Splunk/6.0.1/admin/Wheretofindtheconfigurationfiles

alert_actions.conf is effective at app/user scope - not global.

if you deliver alert_actions.conf to an instance in an app ON ITS OWN - it will have no effect.

If you deliver it into an app which has search configurations (where you are generating reports you wish to email) - it works exactly as defined.

The access URL tells you which scope you're in. I have put an alert_actions.conf in
$SPLUNK_HOME/etc/apps/dbx/local.

I can configure it from the GUI if I want from this url:
h-t-t-p://instance:8000/en-US/manager/dbx/admin/alert_actions/email?action=edit

If I want to email searches from within the search app - I must place the file in
$SPLUNK_HOME/etc/apps/search/local

and i configure it from the gui using this URL:
h-t-t-p://instance:8000/en-US/manager/search/admin/alert_actions/email?action=edit

Its scope of effect is 'app/user', not global.

A user can provide his own alert_actions.conf - but again, it's in the userdir for a specific app, not for all apps.

Gavs

Ultra Champion

Any thoughts on if it can be made global using an export = system in the default.meta of a custom app?

0 Karma

Path Finder

It is highly unlikely splunk changed the precedence rules for that file between releases. Antonio tested it on 5.* and saw the same behaviour...

0 Karma

Ultra Champion

That may be for 6*, but is it different for 5*?

0 Karma

Splunk Employee
Splunk Employee

SPL-55476 was never validated and it is not a valid bug.
I have it working on 5.0.5, splunk is connecting to mailserver indicated below

ON DS

/opt/SPLUNK/5.0.5-DS/splunk $ cat etc/deployment-apps/testDeployApp/local/alert_actions.conf 
[email]
auth_password = $1$d2gP+53E8tz
auth_username = myemail@mailprovider.com
mailserver = smtp.mailprovider.com:2500
reportServerURL = 
from = myemail@mailprovider.com

ON DC

   /opt/SPLUNK/5.0.5-DC/splunk/bin $ ./splunk btool alert_actions list email --debug | egrep -o 'alert_action.*' | egrep -v command
alert_actions.conf [email]
alert_actions.conf auth_password = $1$ndCtP+qYE8tz
alert_actions.conf auth_username = myemail@mailprovider.com
alert_actions.conf           bcc = 
alert_actions.conf           cc = 
alert_actions.conf           format = html
alert_actions.conf from = myemail@mailprovider.com
alert_actions.conf           hostname = 
alert_actions.conf           inline = 0
alert_actions.conf mailserver = smtp.mailprovider.com:2500
alert_actions.conf           maxresults = 10000
alert_actions.conf           maxtime = 5m
alert_actions.conf           pdfview = 
alert_actions.conf           preprocess_results = 
alert_actions.conf           reportCIDFontList = gb cns jp kor
alert_actions.conf           reportIncludeSplunkLogo = 1
alert_actions.conf           reportPaperOrientation = portrait
alert_actions.conf           reportPaperSize = letter
alert_actions.conf           reportServerEnabled = false
alert_actions.conf reportServerURL = 
alert_actions.conf           sendpdf = 0
alert_actions.conf           sendresults = 0
alert_actions.conf           subject = Splunk Alert: $name$
alert_actions.conf           to = 
alert_actions.conf           track_alert = 1
alert_actions.conf           ttl = 86400
alert_actions.conf           use_ssl = 0
alert_actions.conf           use_tls = 0
alert_actions.conf           width_sort_columns = 1

Explorer

ddeighton,

I found the same exact issue on my Splunk Server. This seems to be a bug with Splunk where the Splunk Search Head only recognizes alert_actions.conf in the local (/opt/splunk/etc/system/local) config directory.

Submitted a bug report.

Ultra Champion

I don't see SPL-55476 listed on docs.splunk.com. Has this been listed as a known issue or fixed? http://docs.splunk.com/Special:SplunkSearch/docs?q=SPL-55476

0 Karma

Splunk Employee
Splunk Employee

Splunk bug SPL-55476 was created to address this issue. Thanks everyone that continues to reference this answer post.

0 Karma

Explorer

Support Case # 84640 for this issue.

0 Karma

Champion

@ddeighton it might be an idea for you to also file a bug report just so Splunk are aware it is aflicting more than one user, also they may find multiple data sources on the bug helpful -> https://www.splunk.com/page/submit_issue if @cbowles could share his support ref then you could include that within your ticket so they can link the two issues quickly.

0 Karma

Explorer

Thanks, cbowles, for confirming the problem and filing the bug report.

0 Karma