Hello. Thanks for the help in advance.
I am trying to make an alert that also indexes it's results, so the users can see the activated alert's results in a dashboard later.
The problem is that "log events" action (plus tokens in the event text) fails to save the data correctly when the alert has multiple results.
So i am trying this approach: https://docs.splunk.com/Documentation/Splunk/8.0.0/Alert/Updatealerts
However, following the docs page, when i set action.summary_index to "true" and save, it automatically goes back to "false". As if splunk was changing it when i press save.
Here's the search: (it is a test search)
| makeresults count=1
| eval funca = 1
| table funca
Also the alert is set to activate on a CRON schedule every 5 minutes: */5 * * * *
The alert is activating fine because i see it is adding it in the triggered alerts section.
if this is not the way to do this? What's the correct way then?
Thanks!
... View more