Deployment Architecture

A difficult question,How to create an alert on a Splunk cluster?

xsstest
Communicator

Hi at all,
I created a Splunk cluster, created an alert on the main search, but I could not find it in the alert,
I click "alert" on the navigation bar,It has been constantly in the refresh, Why is this so?
I still have a question:
When I setting "cron" in the alert,I want to run every minute, set */1**** or * /1 * * * * or * /1 * * * on cron,When prompted to save cron format error.
So how can i set up every minute to run on cron? What is the format

Thank you

0 Karma
1 Solution

xsstest
Communicator

The reason is that I did not create an alert on the main search head. If I create an alert on the main search header, the other search head will not show these errors. And will synchronize the alert.

View solution in original post

0 Karma

xsstest
Communicator

The reason is that I did not create an alert on the main search head. If I create an alert on the main search header, the other search head will not show these errors. And will synchronize the alert.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

To run a search every minute, use * * * * * as the cron schedule.

As for your other question, what exactly have you set up, where are you saving your alert, and where are you looking for it?
Did you set up an indexer cluster? A search head cluster?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You can sign up for slack here: http://splk.it/slack

~2100 users registered 🙂

@martin_mueller - I edited to update the link - Liz

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

In an indexer cluster or a search head cluster?

If indexer cluster, are you talking about the cluster master? About a dedicated search head searching the cluster's peers?
If search head cluster, are you talking about the captain? The deployer?

0 Karma

xsstest
Communicator

I have already registered(https://splunk-usergroups.signup.team/), may you approve my registration request? Thank you

0 Karma

xsstest
Communicator

I do not understand what you mean, do you have an email contact or Facebook, i would like to ask you some questions about Splunk

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

What do you mean by "main search"? I'm still unsure about what exactly you have set up, where you are saving your alert, whether you're on an indexer cluster, a search head cluster, etc.

0 Karma

xsstest
Communicator

I do not understand what you mean, do you have an email contact or Facebook, i would like to ask you some questions about Splunk

0 Karma

xsstest
Communicator

Sorry, I am from China, so my English level is normal. This "main search" means the master search server in cluster

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

This feels like a bigger thing, is the rest of Splunk working normally?

0 Karma

xsstest
Communicator

I want to create an alert on search server in my cluster. But I can not find the alert after I created it。So I click "Alerts" on the navigation bar , it has been refreshed and no alerts are displayed,In Settings-> KNOWLEDGE -> Searches, reports, and alerts .As above,Show error “Client is not authenticated” .

0 Karma

xsstest
Communicator

Yes. Other work is normal。

Do you know why you can not create an alert on the Main search?

0 Karma

xsstest
Communicator

alt text

0 Karma

mattymo
Splunk Employee
Splunk Employee

Are you using a load balancer (f5?) in front of your search head cluster?

- MattyMo
0 Karma

xsstest
Communicator

Not used, why do you think so? The current cluster architecture is: three search servers, three index nodes, a master index node, and a deployment server and DMC.when I create alert on search server,I can not find the alert have created.

0 Karma

xsstest
Communicator

show error:“Client is not authenticated”? why ?Should i check where?

0 Karma

mattymo
Splunk Employee
Splunk Employee

so the 3 search servers (Search Heads) are not clustered?

http://docs.splunk.com/Documentation/Splunk/6.5.3/DistSearch/SHCdeploymentoverview

- MattyMo
0 Karma

xsstest
Communicator

I can not find the main search I have created the alert, suggesting that "client is not authenticated"

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...