Security

Log Event Alert Action not visible when creating alert

dsofoulis
Path Finder

Hi All,

I am creating an alert in an app which I have made using the add-on builder, my app name starts with SA-. As part of the alert I would like to use the log event trigger action. For some reason when I am in the context of my app I am unable to see this trigger action option. In the context of other apps such as search and other Splunk apps downloaded from splunk base I am able to see the log event trigger action.

under settings>alert actions I have confirmed the log event alert action has been shared globally.
Confirmed default.metadata in the alert_logevent app:

[alert_actions]
export = system

Confirmed my app is also shared globally.

I've made the alert_logevent app visible which did not work.

Tried renaming the app to remove the SA-

If I go to settings>searches,report and alerts>new alert. Then create the alert from the context of my app, I am now able to see the alert action but when it runs I get the following error

ERROR SearchScheduler - Error in 'sendalert' command: Alert action "logevent" not found., search='sendalert logevent results_file="/opt/splunk/var/run/splunk/dispatch/scheduler__nobody_U0EtZGFya21hdHRlci10aHJlYXQtZGV0ZWN0aW9u__6005_at_1565846400_1262_27223330-DB35-4A3A-8767-873F2404D37B/per_result_alert/tmp_5.csv.gz" results_link="https://splunkserver:8000/app/app_name/app_name?q=|loadjob scheduler__nobody_U0EtZGFya21hdHRlci10aHJlYXQtZGV0ZWN0aW9u__6005_at_1565846400_1262_27223330-DB35-4A3A-8767-873F2404D37B | head 6 | tail 1&earliest=0&latest=now"'
08-15-2019 09:20:02.390 +0400 INFO sendmodalert - Invoking modular alert action=logevent for search="6005" 

I feel like it is a permission issue but not sure what else I can change.

Splunk Enterprise V7.0 and also on V7.1.3

0 Karma
1 Solution

dsofoulis
Path Finder

I've found the solution.
To fix this I edited default.metadata
[]
import = app1, app2, alert_logevent

View solution in original post

0 Karma

dsofoulis
Path Finder

I've found the solution.
To fix this I edited default.metadata
[]
import = app1, app2, alert_logevent

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...