Security

Log Event Alert Action not visible when creating alert

Path Finder

Hi All,

I am creating an alert in an app which I have made using the add-on builder, my app name starts with SA-. As part of the alert I would like to use the log event trigger action. For some reason when I am in the context of my app I am unable to see this trigger action option. In the context of other apps such as search and other Splunk apps downloaded from splunk base I am able to see the log event trigger action.

under settings>alert actions I have confirmed the log event alert action has been shared globally.
Confirmed default.metadata in the alert_logevent app:

[alert_actions]
export = system

Confirmed my app is also shared globally.

I've made the alert_logevent app visible which did not work.

Tried renaming the app to remove the SA-

If I go to settings>searches,report and alerts>new alert. Then create the alert from the context of my app, I am now able to see the alert action but when it runs I get the following error

ERROR SearchScheduler - Error in 'sendalert' command: Alert action "logevent" not found., search='sendalert logevent results_file="/opt/splunk/var/run/splunk/dispatch/scheduler__nobody_U0EtZGFya21hdHRlci10aHJlYXQtZGV0ZWN0aW9u__6005_at_1565846400_1262_27223330-DB35-4A3A-8767-873F2404D37B/per_result_alert/tmp_5.csv.gz" results_link="https://splunkserver:8000/app/app_name/app_name?q=|loadjob scheduler__nobody_U0EtZGFya21hdHRlci10aHJlYXQtZGV0ZWN0aW9u__6005_at_1565846400_1262_27223330-DB35-4A3A-8767-873F2404D37B | head 6 | tail 1&earliest=0&latest=now"'
08-15-2019 09:20:02.390 +0400 INFO sendmodalert - Invoking modular alert action=logevent for search="6005" 

I feel like it is a permission issue but not sure what else I can change.

Splunk Enterprise V7.0 and also on V7.1.3

0 Karma
1 Solution

Path Finder

I've found the solution.
To fix this I edited default.metadata
[]
import = app1, app2, alert_logevent

View solution in original post

0 Karma

Path Finder

I've found the solution.
To fix this I edited default.metadata
[]
import = app1, app2, alert_logevent

View solution in original post

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!