Security

Log Event Alert Action not visible when creating alert

dsofoulis
Path Finder

Hi All,

I am creating an alert in an app which I have made using the add-on builder, my app name starts with SA-. As part of the alert I would like to use the log event trigger action. For some reason when I am in the context of my app I am unable to see this trigger action option. In the context of other apps such as search and other Splunk apps downloaded from splunk base I am able to see the log event trigger action.

under settings>alert actions I have confirmed the log event alert action has been shared globally.
Confirmed default.metadata in the alert_logevent app:

[alert_actions]
export = system

Confirmed my app is also shared globally.

I've made the alert_logevent app visible which did not work.

Tried renaming the app to remove the SA-

If I go to settings>searches,report and alerts>new alert. Then create the alert from the context of my app, I am now able to see the alert action but when it runs I get the following error

ERROR SearchScheduler - Error in 'sendalert' command: Alert action "logevent" not found., search='sendalert logevent results_file="/opt/splunk/var/run/splunk/dispatch/scheduler__nobody_U0EtZGFya21hdHRlci10aHJlYXQtZGV0ZWN0aW9u__6005_at_1565846400_1262_27223330-DB35-4A3A-8767-873F2404D37B/per_result_alert/tmp_5.csv.gz" results_link="https://splunkserver:8000/app/app_name/app_name?q=|loadjob scheduler__nobody_U0EtZGFya21hdHRlci10aHJlYXQtZGV0ZWN0aW9u__6005_at_1565846400_1262_27223330-DB35-4A3A-8767-873F2404D37B | head 6 | tail 1&earliest=0&latest=now"'
08-15-2019 09:20:02.390 +0400 INFO sendmodalert - Invoking modular alert action=logevent for search="6005" 

I feel like it is a permission issue but not sure what else I can change.

Splunk Enterprise V7.0 and also on V7.1.3

0 Karma
1 Solution

dsofoulis
Path Finder

I've found the solution.
To fix this I edited default.metadata
[]
import = app1, app2, alert_logevent

View solution in original post

0 Karma

dsofoulis
Path Finder

I've found the solution.
To fix this I edited default.metadata
[]
import = app1, app2, alert_logevent

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...