Splunk Enterprise

Alert not being Triggered

New Member

I'm evaluating the product and have created a simple data source which is a powershell scrip that will output "hello",
This works fine and I can see the events every min in the search results.
I then created a simple alert based on this as a real time alert that will send en email when this is triggerd.
I'm not sure if if my Email server settings are correct, however I still don't see the alert being triggered.
I'm a newbie so any ideas?

Tags (1)
0 Karma


What does your realtime search look like?

If it's realtime (30s) for example, then you might be experiencing indexing delay greater than 30s. We generally recommend against realtime searches around here anyways.

I recommend you change your search to something like this:
... _index_earliest=-10m _index_latest=-5m ...

Then run the search every 5 minutes.

What this will do is look for the events between 5m and 10m ago INDEXED TIME. Hopefully you dont have more than 5 minutes indexing latency, and hopefully its ok if you get the alert 5m after it has ocured.

You're probably not catching the events because of bad timestamps or indexing latency. You might find the events at Jan 1st 1970 for a brief moment and then they disappear because they're older than 6 years, etc.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!