Hi I was trying to create alerts from Splunk. But it was not working as expected. For example below is how the log looks like in Splunk.
Hi I was trying to create email alerts from splunk log. I setup the alert and email is also triggering, but the problem is that I am not getting the mail as expected.
2020-03-18T17:04:27,335+0100 ERROR
[http-nio-10.96.106.134-8084-exec-6]
c.n.c.controller.ErrorController -
Message = Extraction process failed.
ExceptionMessage = The date
223345.990.2 cannot be parsed. The pattern is: YYYY-MM-DD. ExceptionClass
= DateParseException. ExceptionId = fb04d08a-db10-40ee-97a4-d2934f5a55dahost = xxxx.oneadr.net source =
/xxx/logs/ninjainst/microservices/xxxx/TokenHandler/TokenHandler-app.log
sourcetype = xxxx_app
This is what I configured in my splunk for getting mails.
"The alert condition for '$name$' was
triggered on $trigger_date$, where
there is a pattern ERROR in the log.====================
====================
Host Name: $result.host$.
Source File: $result.source$.
Message: $result.Message$.
Exception Message:
$result.ExceptionMessage$.ExceptionClass:
$result.ExceptionClass$.ExceptionId: $result.ExceptionId$"
But I am getting mail as below,few fields are not populating. Any idea about this
The alert condition for '768_Alert'
was triggered on March 18, 2020, wherethere is a pattern ERROR in the log.
==================== Host Name: xxxx.oneadr.net. Source File:
/xxx/logs/ninjainst/microservices/xxxx/TokenHandler/TokenHandler-app.log.
Message: . Exception Message: .
ExceptionClass: . ExceptionId:
Does fields Message, ExceptionMessage, ExceptionClass and ExceptionId
contains any values in your index?
Add table command to your base query and check if values are coming for these fields.
<your_alert_search> | table Message, ExceptionMessage, ExceptionClass and ExceptionId
If not you need to extract them from _raw data using rex.