Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

similar alerts have several behaviours

acalvo
Explorer
‎03-22-2011 04:54 PM

When defining different alerts in the etc/user/admin/search/local/savedsearches.conf, some of them work and some don't. However, searches work for all of them and list events as expected.

Example that works:

[alert1]
action.email = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
action.email.sendresults = 1
action.email.to = mymail@mail.com
alert.expires = 7d
alert.suppress = 0
counttype = number of events
cron_schedule = * * * * *
dispatch.earliest_time = rt-1m
dispatch.latest_time = rt-30s
enableSched = 1
quantity = 0
relation = greater than
search = (componentsc = "RCG" OR componentsc = "AS" OR componentsc = "VCS") AND actionsc = "ECPRO"

Example that does not work:

[alert2]
action.email = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
action.email.sendresults = 1
action.email.to = mymail@mail.com
alert.expires = 7d
alert.suppress = 0
alert.suppress.period = 20s
alert.track = 1
alert.severity = 4
counttype = number of events
cron_schedule = * * * * *
dispatch.earliest_time = rt-1m
dispatch.latest_time = rt-30s
enableSched = 1
quantity = 0
relation = greater than
search = (componentsc = "AS" OR componentsc = "VCS" OR componentsc = "RCG") AND actionsc = "RBACA" AND (outcomesc = "001" OR outcomesc = "010")

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

the_wolverine
Champion
‎02-25-2014 12:38 PM

The issue was probably the value set to 1 not recognized. Per saved searches.conf.spec:

alert.track = true | false | auto
* Specifies whether to track the actions triggered by this scheduled search.
* auto  - determine whether to track or not based on the tracking setting of each action, 
* do not track scheduled searches that always trigger actions.
* true  - force alert tracking.
* false - disable alert tracking for this search.
* Defaults to auto.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

the_wolverine
Champion
‎02-25-2014 12:38 PM

The issue was probably the value set to 1 not recognized. Per saved searches.conf.spec:

alert.track = true | false | auto
* Specifies whether to track the actions triggered by this scheduled search.
* auto  - determine whether to track or not based on the tracking setting of each action, 
* do not track scheduled searches that always trigger actions.
* true  - force alert tracking.
* false - disable alert tracking for this search.
* Defaults to auto.
0 Karma
Reply
Solved! Jump to solution

acalvo
Explorer
‎03-24-2011 12:03 PM

Nevermind, the error was alert.track = 1, it should be alert.track = auto

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...