Alerting

email alert stopped working

jng
New Member

My alert stopped emailing me today. It was fine previously. Looks like the alert didn't even noticed about the event.

Search alert:

sourcetype="access_combined_wcookie" 10.2.1.152 OR 10.2.1.153 status=500 startminutesago=1

scheduled to run every minute and alert when number of events is greater than 0

Search results:

12.50.83.238 - - [26/Jul/2011:10:36:25 -0700] "GET /android/search?pagesize=15&dapisum=5ea4825a3fc53f5e3010ead87d9624f2&cat=true&propertyType=h&sessionId=bdceNu7SbsVJHbw0RGNft&q=48066&maxRent=800&currentpage=0&minRent=600&deviceId=22a0000023e700f6&minBeds=2&version=1.0.2 HTTP1.1" 500 1229 "-" "android" "-" "74" "10.2.1.152" "8080" ""eventtype=PRDAPP12

107.50.83.238 - - [26/Jul/2011:10:36:13 -0700] "GET /android/search?pagesize=15&dapisum=5ea4825a3fc53f5e3010ead87d9624f2&cat=true&propertyType=h&sessionId=bdceNu7SbsVJHbw0RGNft&q=48066&maxRent=800&currentpage=0&minRent=600&deviceId=22a0000023e700f6&minBeds=2&version=1.0.2 HTTP1.1" 500 1229 "-" "android" "-" "153" "10.2.1.152" "8083" ""eventtype=PRDAPP12

Alert history:
07-26-2011 10:37:02.658 INFO SavedSplunker - SavedSplunker::sendQuery: Running saved_search='Alert - 1 500 on PRDAPP12 or PRDAPP13 from last minute' - result='success' - alert='number of events=0 greater than 0' - triggering - action='no action' - number of events=0

07-26-2011 10:36:02.573 INFO SavedSplunker - SavedSplunker::sendQuery: Running saved_search='Alert - 1 500 on PRDAPP12 or PRDAPP13 from last minute' - result='success' - alert='number of events=0 greater than 0' - triggering - action='no action' - number of events=0

Tags (3)
0 Karma

jng
New Member

Haha, it stopped working again. This is very strange. No idea how to fix this. Probably mothership wants me to upgrade Splunk to 4.0.

0 Karma

jng
New Member

Strange, the email alerts just started working again. Must be a bug.. I'm still on 3.4.14.

0 Karma

pero1234
Path Finder

I have the same issue but for another search! 😞
My search working, but alert don't.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...