Splunk Enterprise

Alert not being Triggered

rubans
New Member

I'm evaluating the product and have created a simple data source which is a powershell scrip that will output "hello",
This works fine and I can see the events every min in the search results.
I then created a simple alert based on this as a real time alert that will send en email when this is triggerd.
I'm not sure if if my Email server settings are correct, however I still don't see the alert being triggered.
I'm a newbie so any ideas?

Tags (1)
0 Karma

jkat54
SplunkTrust
SplunkTrust

What does your realtime search look like?

If it's realtime (30s) for example, then you might be experiencing indexing delay greater than 30s. We generally recommend against realtime searches around here anyways.

I recommend you change your search to something like this:
... _index_earliest=-10m _index_latest=-5m ...

Then run the search every 5 minutes.

What this will do is look for the events between 5m and 10m ago INDEXED TIME. Hopefully you dont have more than 5 minutes indexing latency, and hopefully its ok if you get the alert 5m after it has ocured.

You're probably not catching the events because of bad timestamps or indexing latency. You might find the events at Jan 1st 1970 for a brief moment and then they disappear because they're older than 6 years, etc.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!