×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
vince88917
Explorer
Member since: ‎05-20-2022
‎03-08-2023
Community Statistics
Posts 5
Solutions 1
Karma Given 5
Karma Received 1
Member Since ‎05-20-2022
Activity Feed
View All

Re: Alert doesn't work, but clone does?

by in Alerting
‎10-17-2022 02:33 AM
1 Karma
‎10-17-2022 02:33 AM
1 Karma
For future reference, the alert did not specify an index so I rectified this. However, this did not solve the problem. As mentioned, I could clone the alert and this would run fine. I could also then change the ownership of the cloned alert to "nobody" and it would also run fine.  I wasn't content with this solution though, as centrally deployed configuration is strongly preferred to local changes in my environment. I've ended up deploying from SHC Deployer, making a simple local change (i.e. disabling), then undoing this local change (so, re-enabling) in order that no significant local change continues to exist. Doing this, I find the alert runs fine. Weird. ... View more

Re: Alert doesn't work, but clone does

by in Alerting
‎10-14-2022 01:48 PM
‎10-14-2022 01:48 PM
How do I ascertain the details of the role of “nobody”? ... View more

Re: Alert doesn't work, but clone does

by in Alerting
‎10-14-2022 07:21 AM
‎10-14-2022 07:21 AM
It feels like this is the right area. I have many other alerts and reports in the same app with owner=nobody that run with no problem. How do I debug this one further? ... View more

Alert doesn't work, but clone does?

by in Alerting
‎10-14-2022 05:53 AM
‎10-14-2022 05:53 AM
I have an alert with a "Send email" trigger action when the number of results is greater than zero. The aim is to send a table of results inline in the email. This isn't currently working - no email is being received when there are valid qualifying events in the search period (previous day). The alert was deployed using the SHC deployer, and is owned by "nobody". If I "Open in Search" I see results. If I clone the alert so a local version is run under my user context, I get the alert email sent.   Looking into _internal events, I can see that when the "nobody" search runs, no results are returned, and hence no email is sent - this isn't an issue with email configuration. Why does this search in this context give me no results? ... View more
Labels

Register new Universal Forwarder with existing Dep...

by in Deployment Architecture
‎05-20-2022 09:15 AM
‎05-20-2022 09:15 AM
I have a new UF installation and wish to register it with an existing Deployment Server. When I run the command: $SPLUNK_HOME/bin/splunk set deploy-poll <FQDN of DS>:<management port> I am prompted to login, and provide it with credentials that I am able to log into the DS Web interface. It gives me "Login failed" though.  How can I diagnose this further? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-08-2023 11:53 AM
Karma from
View All
Karma given to
View All