Alerting

Why alerts are not working?

Pablo00
Explorer

hello, 
I just started with splunk and I need your help. I am not sure why alerts not working for me

this is an example ( looking for ping event +  PowerShell )

Pablo00_2-1650797149373.png


Pablo00_4-1650797195706.png

 

 

Pablo00_3-1650797170434.png

 

I set up to send an email to my inbox ( Do i need to configure stmp or something? or it will working without any configuration?)

also I cant see anything in Alet tab - just a comment  >  There are no fired events for this alert.

I am not sure what I am doing wrong, please help me if you can! Many thanks

 

 

( I have 60days free splunk)

 

thank you

Labels (2)
Tags (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

When you are using real-time alert (really you never need to use real-time alerts, those usually generates more issues than solves) it's fire only when there is coming a new events not for those which you have already indexed. I propose that you change this to "historic" alert where you define time slot from where you are looking those events and then add regular time when splunk has running it (cron or regularly one a hour/day etc.).

r. Ismo

View solution in original post

VatsalJagani
Champion

@Pablo00 - Alerting is one of the feature which is not available in free license.

https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/MoreaboutSplunkFree

 

-------
I hope this helps!! Kindly upvote if it does.!!!

0 Karma

Pablo00
Explorer

thanks, so this is even for Enterprise Trial? I just registered and downloaded so i thought i would be able to use all the features. 

 

"When you first download and install Splunk Enterprise, an Enterprise Trial license is created and enabled by default. You can continue to use the Enterprise Trial license until it expires, or switch to the Free license right away depending on your requirements."

 

so i understand no alerts via email but also no alerts in Splunk alerts tab as well?

please read this comment ( after trail will end)

Pablo00_0-1650867605075.png

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

Unless you can send email from your server/workstations command line you must configure SMTP settings. You could found those on Settings -> Server Settings -> Email Settings. It's default is just use it's server's local email server (which you haven't in laptop/workstation and maybe not configured in your servers too).

r. Ismo

0 Karma

Pablo00
Explorer

Thank you!

so email alerts are a bit advanced then. I will try to do it anyway (as I have access to azure cloud subscription) 

but I am wondering why I am not able to see any alerts in web app? (when i go to search i am able to see events, so alert should be triggered?) 
many thanks

Pablo00_0-1650878973022.png

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

When you are using real-time alert (really you never need to use real-time alerts, those usually generates more issues than solves) it's fire only when there is coming a new events not for those which you have already indexed. I propose that you change this to "historic" alert where you define time slot from where you are looking those events and then add regular time when splunk has running it (cron or regularly one a hour/day etc.).

r. Ismo

Pablo00
Explorer

Thank you for your help. I understand that now!

very much appreciated 🙂 

0 Karma