Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is Email Alert not triggering though there is search result

shradha14
Loves-to-Learn
‎06-21-2022 09:04 AM

Hi,

I have created an email alert with cron schedule of every 4 hours, though I can see that even if there is search result, randomly email triggering is not happening.

Also, I made sure to use simpler splunk commands which will be a bit faster in terms of execution.

Can someone please suggest what could be the reason in such skipping of an email.

Labels (1)
Labels
0 Karma
Reply

shradha14
Loves-to-Learn
‎06-27-2022 05:24 AM

Its a project requirement that we have multiple dashboards/searches.
As per customer requirement we have to get this email notification no matter what every 4 hours. 

Is there any solution that though query is in queued state, alert output will get triggered?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-27-2022 06:09 AM

Have you looked at the scheduler log as suggested to see why the query did not run?  Only after knowing the reason for the failure can you hope to correct it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-21-2022 11:18 AM

Is it a problem of the alert not triggering or the email not getting delivered?  You can check the "Triggered Alerts" page for the former and index=_internal for the latter.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-21-2022 11:17 AM

Have you checked that those alerts are fired and email has sent by splunk? Just use internal indexes to see that. One example how to look those https://community.splunk.com/t5/Alerting/How-to-troubleshoot-why-I-m-not-getting-email-alerts-from-S...

r. Ismo

0 Karma
Reply

shradha14
Loves-to-Learn
‎06-27-2022 05:11 AM

I have tested email alert as well before set up.  It triggered with the cron schedule correctly. I have observed sometimes at the time of cron schedule, alert output has the output "Waiting for queued jobs".

Is this the reason email is not triggering ??  Each time I have to re-schedule cron to 5 mins and manually run it.

Can someone please suggest what can be done even if query is in queued state and still it has to trigger an email ?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-27-2022 05:19 AM

There should be something in the scheduler log (index=_internal source=*scheduler.log*) explaining why the alert didn't run.

It sounds like you have too many searches trying to run at the same time so some have to wait (queue) for resources to become available.  Consider rescheduling or disabling some searches.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-27-2022 10:17 AM

Another place to check is MC’s Search-> Scheduler -> individual node or something. Look skipped and deferred searches to see how well your scheduler is working.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...