My alert stopped emailing me today. It was fine previously. Looks like the alert didn't even noticed about the event.
Search alert:
sourcetype="access_combined_wcookie" 10.2.1.152 OR 10.2.1.153 status=500 startminutesago=1
scheduled to run every minute and alert when number of events is greater than 0
Search results:
12.50.83.238 - - [26/Jul/2011:10:36:25 -0700] "GET /android/search?pagesize=15&dapisum=5ea4825a3fc53f5e3010ead87d9624f2&cat=true&propertyType=h&sessionId=bdceNu7SbsVJHbw0RGNft&q=48066&maxRent=800¤tpage=0&minRent=600&deviceId=22a0000023e700f6&minBeds=2&version=1.0.2 HTTP1.1" 500 1229 "-" "android" "-" "74" "10.2.1.152" "8080" ""eventtype=PRDAPP12
107.50.83.238 - - [26/Jul/2011:10:36:13 -0700] "GET /android/search?pagesize=15&dapisum=5ea4825a3fc53f5e3010ead87d9624f2&cat=true&propertyType=h&sessionId=bdceNu7SbsVJHbw0RGNft&q=48066&maxRent=800¤tpage=0&minRent=600&deviceId=22a0000023e700f6&minBeds=2&version=1.0.2 HTTP1.1" 500 1229 "-" "android" "-" "153" "10.2.1.152" "8083" ""eventtype=PRDAPP12
Alert history:
07-26-2011 10:37:02.658 INFO SavedSplunker - SavedSplunker::sendQuery: Running saved_search='Alert - 1 500 on PRDAPP12 or PRDAPP13 from last minute' - result='success' - alert='number of events=0 greater than 0' - triggering - action='no action' - number of events=0
07-26-2011 10:36:02.573 INFO SavedSplunker - SavedSplunker::sendQuery: Running saved_search='Alert - 1 500 on PRDAPP12 or PRDAPP13 from last minute' - result='success' - alert='number of events=0 greater than 0' - triggering - action='no action' - number of events=0
... View more