- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- email alert stopped working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
email alert stopped working
My alert stopped emailing me today. It was fine previously. Looks like the alert didn't even noticed about the event.
Search alert:
sourcetype="access_combined_wcookie" 10.2.1.152 OR 10.2.1.153 status=500 startminutesago=1
scheduled to run every minute and alert when number of events is greater than 0
Search results:
12.50.83.238 - - [26/Jul/2011:10:36:25 -0700] "GET /android/search?pagesize=15&dapisum=5ea4825a3fc53f5e3010ead87d9624f2&cat=true&propertyType=h&sessionId=bdceNu7SbsVJHbw0RGNft&q=48066&maxRent=800¤tpage=0&minRent=600&deviceId=22a0000023e700f6&minBeds=2&version=1.0.2 HTTP1.1" 500 1229 "-" "android" "-" "74" "10.2.1.152" "8080" ""eventtype=PRDAPP12
107.50.83.238 - - [26/Jul/2011:10:36:13 -0700] "GET /android/search?pagesize=15&dapisum=5ea4825a3fc53f5e3010ead87d9624f2&cat=true&propertyType=h&sessionId=bdceNu7SbsVJHbw0RGNft&q=48066&maxRent=800¤tpage=0&minRent=600&deviceId=22a0000023e700f6&minBeds=2&version=1.0.2 HTTP1.1" 500 1229 "-" "android" "-" "153" "10.2.1.152" "8083" ""eventtype=PRDAPP12
Alert history:
07-26-2011 10:37:02.658 INFO SavedSplunker - SavedSplunker::sendQuery: Running saved_search='Alert - 1 500 on PRDAPP12 or PRDAPP13 from last minute' - result='success' - alert='number of events=0 greater than 0' - triggering - action='no action' - number of events=0
07-26-2011 10:36:02.573 INFO SavedSplunker - SavedSplunker::sendQuery: Running saved_search='Alert - 1 500 on PRDAPP12 or PRDAPP13 from last minute' - result='success' - alert='number of events=0 greater than 0' - triggering - action='no action' - number of events=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Haha, it stopped working again. This is very strange. No idea how to fix this. Probably mothership wants me to upgrade Splunk to 4.0.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Strange, the email alerts just started working again. Must be a bug.. I'm still on 3.4.14.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same issue but for another search! 😞
My search working, but alert don't.
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
