Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why aren't alerts triggering in my search on S...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I created an alert w/ a basic search:
index=_internal | stats count
Cron Expression: */1 * * * *
Alert condition choise customer, Trigger Conditions: search count>0
Trigger Actions is Add to Triggered Alerts.
But no alert messages are showing in the Trigger alerts page.
I'm testing w/ Splunk versions 8.0.4. and 8.0.2.
The same alert configration is normal in Splunk 7.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Question solved. Cause alert.condition item of alert configuration file savesearch.conf have wrong Greater than escape.
For example: normal: alert_condition = search data_count > 0
splunk 8 : alert_condition = search count > 0
Testing splunk version is 8.0.4, Suggestion next version fix bug.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Question solved. Cause alert.condition item of alert configuration file savesearch.conf have wrong Greater than escape.
For example: normal: alert_condition = search data_count > 0
splunk 8 : alert_condition = search count > 0
Testing splunk version is 8.0.4, Suggestion next version fix bug.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Could you give us more details?
Check whether the search is producing any results.
Also, include the time window in the search as below.
index="your_index" sourcetype="your_st" earliest=-1h@h latest=@h
I am searching for a window of one hour
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I modified base search:
index=_internal sourcetype=splunkd earliest=-10m@m latest=@m | stats count as data_count
But also, Alert isn't trigged . In triggered Alerts page don;t appeared.
I check search result in Job manager, Search result is normal.
This fault is the same for linux and windows platform.
When alert condition is number of result, alert trigger is normal.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
