Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

map and sendmail commands in search head clustering

yutaka1005
Builder
‎10-17-2017 10:09 PM

In my environment, I am building search head clustering consisting of three search heads and one deployer.

In addition, I am using an alert that sends mail individually with the "map" command and "sendmail" command for logs that meet certain conditions.

However, as a result of checking this morning, only one alert was caught, and even though the result was one line, two mails were sent.

When I checking the internal logs, the logs below were issued in the internal logs of the two search heads at approximately the same timing (deviation of about 0.4 seconds).
"INFO sendemail:128 - Sending email..."

From this I thought that the same search ran for the two search heads.

Is there a workaround for this phenomenon?
Also, are "sendmail" and "map" commands not recommended in clustering?
And Is there a possibility that it is the cause?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎10-18-2017 12:12 AM

MAPコマンドもsendmailコマンドもクラスタ環境で問題なく動くと思います。JOBの重複起動やデータの重複が原因ではないですか?

View solution in original post

0 Karma
Reply
Solved! Jump to solution

tkomatsubara_sp
Splunk Employee
Splunk Employee
‎10-18-2017 07:44 PM

メールサーバ側(たとえば、Syslog) で、きちんとリクエストが来ているかという観点でのチェックも必要ですね。

Reply
Solved! Jump to solution

yutaka1005
Builder
‎10-18-2017 08:49 PM

ご回答いただきありがとうございます。

アラートが二重で動作していたことが原因でした…
jobを確認したらすぐにわかりました。

0 Karma
Reply
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎10-18-2017 12:12 AM

MAPコマンドもsendmailコマンドもクラスタ環境で問題なく動くと思います。JOBの重複起動やデータの重複が原因ではないですか?

0 Karma
Reply
Solved! Jump to solution

yutaka1005
Builder
‎10-18-2017 08:50 PM

ご回答いただきありがとうございます。

ご指摘のとおりアラートが二重で動いていたことが原因でした。

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...