Alerting

what's the correct format for multiple email addresses in an alert?

Builder

If I run a manual search and then create an alert, modal dialog wizard that walks me through the alert setup requests a semi-colon seperated list of email addresses. However, when editing an alert via the manager, the help text under the email recipient box says a comma-seperated list.

Are both compatible? I am busy trying to troubleshoot why some alerts are not being sent by our splunk server, and it seems to be alerts with multiple email addresses that are breaking.

Where could I get SMTP logs from the server? What other factors might be breaking SMTP alerts from coming through? I have tried both ";" and "," in the alert, and am still not receiving the alert. The search is a real-time search (earliest = "rt" and latest="rt"), and if I run the search manually in real-time I see results coming up.

Tags (2)
1 Solution

Motivator

On linux you can find records of the mailings in

/opt/splunk/var/log/splunk/python.log

Looking like this at the start:

2013-08-19 12:01:08,402 INFO Sending email. subject=<snip!>

You may use either commas or semicolons to separate entries in the recipients list.

View solution in original post

Builder

yannk - I opened a new question that's more relevant - http://answers.splunk.com/answers/99747/real-time-alerts

0 Karma

Builder

Are you saying that when I create a search, neither of "Monitor in real-time over rolling window of..." and "Trigger in real-time whenever a result matches" should be used?

0 Karma

Builder

Thanks for the advice. I am refactoring a number of our rt alerts, will run on an hourly schedule. The alert I have was working, and stopped a month ago. The parameters have not changed.

0 Karma

Motivator

On linux you can find records of the mailings in

/opt/splunk/var/log/splunk/python.log

Looking like this at the start:

2013-08-19 12:01:08,402 INFO Sending email. subject=<snip!>

You may use either commas or semicolons to separate entries in the recipients list.

View solution in original post

Builder

thanks. its not the emailing that's the problem, must be the alert.

0 Karma

Splunk Employee
Splunk Employee

Remark : never use realtime alltime alerts (rt rt), they are very costly in resource and build up memory.

Change your script to just log a line when it's called. the problem may be the argument passing.

0 Karma

Builder

Seems like the problem is actually in the alert - I have tracking enabled, and if I create events that should trigger the alert, they are not showing in the alert manager either.

I have tried restarting the Splunk server, and it's still not working.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!