Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

similar alerts have several behaviours

acalvo
Explorer
‎03-22-2011 04:54 PM

When defining different alerts in the etc/user/admin/search/local/savedsearches.conf, some of them work and some don't. However, searches work for all of them and list events as expected.

Example that works:

[alert1]
action.email = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
action.email.sendresults = 1
action.email.to = mymail@mail.com
alert.expires = 7d
alert.suppress = 0
counttype = number of events
cron_schedule = * * * * *
dispatch.earliest_time = rt-1m
dispatch.latest_time = rt-30s
enableSched = 1
quantity = 0
relation = greater than
search = (componentsc = "RCG" OR componentsc = "AS" OR componentsc = "VCS") AND actionsc = "ECPRO"

Example that does not work:

[alert2]
action.email = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
action.email.sendresults = 1
action.email.to = mymail@mail.com
alert.expires = 7d
alert.suppress = 0
alert.suppress.period = 20s
alert.track = 1
alert.severity = 4
counttype = number of events
cron_schedule = * * * * *
dispatch.earliest_time = rt-1m
dispatch.latest_time = rt-30s
enableSched = 1
quantity = 0
relation = greater than
search = (componentsc = "AS" OR componentsc = "VCS" OR componentsc = "RCG") AND actionsc = "RBACA" AND (outcomesc = "001" OR outcomesc = "010")

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

the_wolverine
Champion
‎02-25-2014 12:38 PM

The issue was probably the value set to 1 not recognized. Per saved searches.conf.spec:

alert.track = true | false | auto
* Specifies whether to track the actions triggered by this scheduled search.
* auto  - determine whether to track or not based on the tracking setting of each action, 
* do not track scheduled searches that always trigger actions.
* true  - force alert tracking.
* false - disable alert tracking for this search.
* Defaults to auto.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

the_wolverine
Champion
‎02-25-2014 12:38 PM

The issue was probably the value set to 1 not recognized. Per saved searches.conf.spec:

alert.track = true | false | auto
* Specifies whether to track the actions triggered by this scheduled search.
* auto  - determine whether to track or not based on the tracking setting of each action, 
* do not track scheduled searches that always trigger actions.
* true  - force alert tracking.
* false - disable alert tracking for this search.
* Defaults to auto.
0 Karma
Reply
Solved! Jump to solution

acalvo
Explorer
‎03-24-2011 12:03 PM

Nevermind, the error was alert.track = 1, it should be alert.track = auto

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...