I created an alert w/ a basic search:
index=_internal | stats count
Cron Expression: */1 * * * *
Alert condition choise customer, Trigger Conditions: search count>0
Trigger Actions is Add to Triggered Alerts.
But no alert messages are showing in the Trigger alerts page.
I'm testing w/ Splunk versions 8.0.4. and 8.0.2.
The same alert configration is normal in Splunk 7.
Question solved. Cause alert.condition item of alert configuration file savesearch.conf have wrong Greater than escape.
For example: normal: alert_condition = search data_count > 0
splunk 8 : alert_condition = search count > 0
Testing splunk version is 8.0.4, Suggestion next version fix bug.
Question solved. Cause alert.condition item of alert configuration file savesearch.conf have wrong Greater than escape.
For example: normal: alert_condition = search data_count > 0
splunk 8 : alert_condition = search count > 0
Testing splunk version is 8.0.4, Suggestion next version fix bug.
Hi,
Could you give us more details?
Check whether the search is producing any results.
Also, include the time window in the search as below.
index="your_index" sourcetype="your_st" earliest=-1h@h latest=@h
I am searching for a window of one hour
I modified base search:
index=_internal sourcetype=splunkd earliest=-10m@m latest=@m | stats count as data_count
But also, Alert isn't trigged . In triggered Alerts page don;t appeared.
I check search result in Job manager, Search result is normal.
This fault is the same for linux and windows platform.
When alert condition is number of result, alert trigger is normal.