Did you mean to write   index=feed_index Not sure what you question means. ... View more

Hi. I had the same question of Splunk support.  I had asked ffor documentation clarification but it doesn't seem to have made it into this documentation https://docs.splunk.com/Documentation/Splunk/8.2.0/Admin/authorizeconf Support told me that list_settings allows a user to have access to settings endpoint. | rest splunk_server=local /services/server/settings We added it for our users. ... View more

Did you try providing an alert_actions.conf with the from address? [email] from = foo@bar.com ... View more

Hi. You asked this question last Friday. https://community.splunk.com/t5/Alerting/send-email-function-does-not-seem-to-be-working-after-upgrading/m-p/550000 Did you try looking at the logs as I suggested? ... View more

Hi. Have you tried searching your _internal logs? What error is in the python log? I did a search like index=_internal host=myhead* sourcetype=splunk_python   When I do the search I got something like 2021-04-30 23:07:02,181 +0000 INFO sendemail:156 - Sending email. subject="My Alert", results_link="https://myhost.mydomain.com:8000/app/search/@go?sid=scheduler_YWRtaW5fc3BsdW5r__search__RMD54eadd0aa6872f5e8_at_1619824020_41", recipients="['me@mydoamin.com']", server="mymailserver.mydomain:25" ... View more

Hi. How are you adding more data to the csv?  If you added a file using the lookup files -> new and then you are editing the actual file on disk, that likely won't work. I highly recommend using this app: https://splunkbase.splunk.com/app/1724/     ... View more

Hi. I am not sure I understand what you are asking. Look up the name where? What is the source? ... View more

Hi. I don't know what your data looks like but it might be something like  <search to get your logs...> | stats latest(CollectorWestCoastCount) AS WestCoastCount, latest(CollectorEastCoastCount) AS EastCoastCount by RemoteDevice | search WestCoastCount=0 AND EastCoastCount=0   And then alert when you have count > 0 If you show your log samples we can refine from here ... View more

Hi Orca. Have a look at this https://docs.splunk.com/Documentation/Splunk/8.1.3/Alert/Reviewtriggeredalerts What you have to do is for each alert you want to see in the triggered alert list you have to specifically tell the alert to be added to the Triggered alerts list. You get to specify a severity at that time. The documentation above shows you how to view the triggered alerts. As a best practice we have our alerts added to the Triggered alerts list. ... View more

For an alert you can trigger on each result.   ... View more

Hi.  There are several apps on Splunkbase. The one we use is https://splunkbase.splunk.com/app/2878/ 1) I got a Slack web hook and modify an alert_actions.conf   [slack] param.webhook_url = https://hooks.slack.com/services/ABC12345/YYYYYY/xxxxxx   2) easy test is to just send to yourself.  My Slack username is myuser. It arrives as Slackbot in Slack.   | sendalert slack param.channel="@myuser" param.message="Friday test"    3) And it works.  Look in  _audit   Audit:[timestamp=02-05-2021 22:03:32.419, user=myuser, action=search, info=granted , search_id='1612562612.438546_EC468701-9D5D-4C6B-B22C-9B179F397BB8', search='| sendalert slack param.channel="@myuser" param.message="Friday test"', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Fri Feb 5 21:48:32 2021', apiEndTime='Fri Feb 5 22:03:32 2021', savedsearch_name=""][n/a]     Furthermore if I specified a bad username or bad slack channel   | sendalert slack param.channel="#nosuchchannel" param.message="Friday test"   I get an error in the browser Error in 'sendalert' command: Alert script returned error code 5. The search job has failed due to an error. You may be able view the job in the Job Inspector. If you look in the job inspector you can see the actual error   2-05-2021 22:08:21.401 INFO sendmodalert - action=slack STDERR - Running python 3 02-05-2021 22:08:21.401 WARN sendmodalert - action=slack STDERR - Validation warning: Parameter `attachment` must be ether "alert_link" or "message" 02-05-2021 22:08:21.401 INFO sendmodalert - action=slack STDERR - Using configured webhook URL: https://hooks.slack.com/services/T025DU6HX/BBLUA59Q9/xxxxxx 02-05-2021 22:08:21.401 ERROR sendmodalert - action=slack STDERR - HTTP request to Slack webhook URL failed: HTTP Error 404: Not Found 02-05-2021 22:08:21.401 ERROR sendmodalert - action=slack STDERR - Slack error response: b'channel_not_found' 02-05-2021 22:08:21.401 FATAL sendmodalert - action=slack STDERR - Alert action failed 02-05-2021 22:08:21.407 INFO sendmodalert - action=slack - Alert action script completed in duration=230 ms with exit code=5 02-05-2021 22:08:21.407 WARN sendmodalert - action=slack - Alert action script returned error code=5 02-05-2021 22:08:21.446 ERROR sendmodalert - Error in 'sendalert' command: Alert script returned error code 5.     ... View more

Hi. Other than the typo above where you had 23 instead of 22 that cron schedule syntax looks correct.   What is happening exactly for this alert?   You could look in the_internal log for the savedsearch_name= and see if the alert is firing. ... View more

Hi do you want to share exactly how you are setting up the alert condition and what are you using to alert? Can you check the _internal index for errors? ... View more

Hello. This sounds like the bug  we hit in 8.0.2 When we had an alert and then used custom criteria for alerting, if we had..    search count > 0 Splunk stored search count &gt; 0 in the savedsearches.conf and then the alert never fired. This bug was fixed in 8.0.5: https://docs.splunk.com/Documentation/Splunk/8.0.5/ReleaseNotes/Fixedissues SPL-189917 If you do an advanced edit, I believe you can see the bug.  If this is your case, the solution would be to upgrade to 8.0.8. I would not recommend 8.0.5 as it has this nasty bug  2020-07-15 SPL-192057, SPL-188608 Realtime and in-progress adhoc searches shows "Job terminated unexpectedly" on members of SHC other than the SH from which the search originated   We upgraded to 8.0.2 then 8.0.5 and then 8.0.6. ... View more

Advice: read the release notes carefully! ... View more

I used `burwellMacro(mlmodel1)` ... View more

I haven't done MLTK for a year but i did write some macros. I had a macro with model name and  I used... ... | apply "$model_name$"   ... View more

Hi. I think you need to remove the parens () around model name. Have a look here https://docs.splunk.com/Documentation/MLApp/5.2.0/User/Understandfitandapply There are a few examples including  ...| apply temp_model ... View more

Another idea: test out the PDF delivery with a super simple dashboard just to make sure all is working. I suggest one panel. ... View more

How about something like this   index=security sourcetype="Computers" "Computer Status"=Enabled earliest=-12mon@mon | timechart span=1day count | timechart span=1month earliest(count) AS count | eventstats avg(count)as avg max(count) as max min(count) as min | where count = max ..  change stats -> eventstats and then do some kind of comparison ... View more

So build on what @sjodle suggests here's what works best for me when I want to list a set of hosts to list in a slack window with carriage returns after each name. add space to the end of host name create new field name affected_hosts using values(host) so we have one field with all host names modify the new field to replace spaces with carriage return finally: use the field $result.affected_hosts$ in your slack message   <your search here> | eval host=host+" " | stats values(host) as affected_hosts | rex mode=sed field=affected_hosts "s/ /\n/g"   ... View more

| tstats count WHERE index=myindexname earliest=-60m latest=now ... View more

Hi. So the http event collect (HEC) can send to a set of indexers. I guess you are limited by how fast the HEC can send to the indexers and how fast the indexers in turn can ingest. I have seen recommendations from Splunk to indexer ingestion to be in the 300 to 400GB/day ingestion per indexer from all inputs but we push our indexers much harder. ... View more