Hi at all,
I created a Splunk cluster, created an alert on the main search, but I could not find it in the alert,
I click "alert" on the navigation bar,It has been constantly in the refresh, Why is this so?
I still have a question:
When I setting "cron" in the alert,I want to run every minute, set */1****
or * /1 * * * *
or * /1 * * *
on cron,When prompted to save cron format error.
So how can i set up every minute to run on cron? What is the format
Thank you
The reason is that I did not create an alert on the main search head. If I create an alert on the main search header, the other search head will not show these errors. And will synchronize the alert.
The reason is that I did not create an alert on the main search head. If I create an alert on the main search header, the other search head will not show these errors. And will synchronize the alert.
To run a search every minute, use * * * * *
as the cron schedule.
As for your other question, what exactly have you set up, where are you saving your alert, and where are you looking for it?
Did you set up an indexer cluster? A search head cluster?
You can sign up for slack here: http://splk.it/slack
~2100 users registered 🙂
@martin_mueller - I edited to update the link - Liz
In an indexer cluster or a search head cluster?
If indexer cluster, are you talking about the cluster master? About a dedicated search head searching the cluster's peers?
If search head cluster, are you talking about the captain? The deployer?
I have already registered(https://splunk-usergroups.signup.team/), may you approve my registration request? Thank you
I do not understand what you mean, do you have an email contact or Facebook, i would like to ask you some questions about Splunk
What do you mean by "main search"? I'm still unsure about what exactly you have set up, where you are saving your alert, whether you're on an indexer cluster, a search head cluster, etc.
I do not understand what you mean, do you have an email contact or Facebook, i would like to ask you some questions about Splunk
Sorry, I am from China, so my English level is normal. This "main search" means the master search server in cluster
This feels like a bigger thing, is the rest of Splunk working normally?
I want to create an alert on search server in my cluster. But I can not find the alert after I created it。So I click "Alerts" on the navigation bar , it has been refreshed and no alerts are displayed,In Settings-> KNOWLEDGE -> Searches, reports, and alerts .As above,Show error “Client is not authenticated” .
Yes. Other work is normal。
Do you know why you can not create an alert on the Main search?
Are you using a load balancer (f5?) in front of your search head cluster?
Not used, why do you think so? The current cluster architecture is: three search servers, three index nodes, a master index node, and a deployment server and DMC.when I create alert on search server,I can not find the alert have created.
show error:“Client is not authenticated”? why ?Should i check where?
so the 3 search servers (Search Heads) are not clustered?
http://docs.splunk.com/Documentation/Splunk/6.5.3/DistSearch/SHCdeploymentoverview
I can not find the main search I have created the alert, suggesting that "client is not authenticated"