Splunk Search

I have a search using a field I created and it produces results, but why is an email not sent when I make it an alert?

omuelle1
Communicator

Hi Splunk Users,

I created an alert using a field that I created and I only want to receive alerts where that field (it is a time stamp) is older than 2 days:

index = wms "ReprocessCICOProcessor for login" AND "Failed while reprocessing the cico"  Looking_time=* | eval testDate=strptime(Looking_time,"%Y-%m-%d")
| where testDate < relative_time(now(),"-2d@d")

The search works and it gives results when tested in the search app. I made sure that the field has the right permissions and had another user test it and it does work as well.

However, when I create an alert using this search, it will not send emails when the error occurs.

When I click "View Recent" under Actions in "Searches, Reports, and Alerts", I see the that the search is at 100%, but it still says it is waiting to finish, so I am thinking somehow something is wrong in my search. However, when I use the search the search without the alert, it yields results.

I have tried several settings in my alert and it worked when I used the search like this:

index = wms "ReprocessCICOProcessor for login" AND "Failed while reprocessing the cico"  Looking_time=* 

However, it does not work when I give the | eval part:

index = wms "ReprocessCICOProcessor for login" AND "Failed while reprocessing the cico"  Looking_time=* | eval testDate=strptime(Looking_time,"%Y-%m-%d")
 | where testDate < relative_time(now(),"-2d@d")

Thanks for your help!

Oliver

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try something like this

 index = wms "ReprocessCICOProcessor for login" AND "Failed while reprocessing the cico"  Looking_time=* 
 | where strptime(Looking_time,"%Y-%m-%d")< relative_time(now(),"-2d@d")

OR (I personally like this method)

index = wms "ReprocessCICOProcessor for login" AND "Failed while reprocessing the cico"  [ |gentimes start=-1 | eval Looking_time=strftime(relative_time(now(),"-2d@d"),"%Y-%m-%d") | table Looking_time]

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try something like this

 index = wms "ReprocessCICOProcessor for login" AND "Failed while reprocessing the cico"  Looking_time=* 
 | where strptime(Looking_time,"%Y-%m-%d")< relative_time(now(),"-2d@d")

OR (I personally like this method)

index = wms "ReprocessCICOProcessor for login" AND "Failed while reprocessing the cico"  [ |gentimes start=-1 | eval Looking_time=strftime(relative_time(now(),"-2d@d"),"%Y-%m-%d") | table Looking_time]

omuelle1
Communicator

Thank you, those searches work as well. I don't why but the alert is sending now with the old search as well..

0 Karma

woodcock
Esteemed Legend

Be sure to click "Accept".

0 Karma

aholzer
Motivator

Make sure you have configured the email settings on the Search Head running the search: Settings > Sever Settings > Email Settings

Hope this helps

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...