Solved: map and sendmail commands in search head clusterin...

yutaka1005 · ‎10-17-2017

In my environment, I am building search head clustering consisting of three search heads and one deployer.

In addition, I am using an alert that sends mail individually with the "map" command and "sendmail" command for logs that meet certain conditions.

However, as a result of checking this morning, only one alert was caught, and even though the result was one line, two mails were sent.

When I checking the internal logs, the logs below were issued in the internal logs of the two search heads at approximately the same timing (deviation of about 0.4 seconds).
"INFO sendemail:128 - Sending email..."

From this I thought that the same search ran for the two search heads.

Is there a workaround for this phenomenon?
Also, are "sendmail" and "map" commands not recommended in clustering?
And Is there a possibility that it is the cause?

HiroshiSatoh · ‎10-18-2017

MAPコマンドもsendmailコマンドもクラスタ環境で問題なく動くと思います。JOBの重複起動やデータの重複が原因ではないですか？

View solution in original post

tkomatsubara_sp · ‎10-18-2017

メールサーバ側(たとえば、Syslog) で、きちんとリクエストが来ているかという観点でのチェックも必要ですね。

yutaka1005 · ‎10-18-2017

ご回答いただきありがとうございます。

アラートが二重で動作していたことが原因でした…
jobを確認したらすぐにわかりました。

HiroshiSatoh · ‎10-18-2017

MAPコマンドもsendmailコマンドもクラスタ環境で問題なく動くと思います。JOBの重複起動やデータの重複が原因ではないですか？

yutaka1005 · ‎10-18-2017

ご回答いただきありがとうございます。

ご指摘のとおりアラートが二重で動いていたことが原因でした。

map and sendmail commands in search head clustering

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk