Reputation: 13
How can we create splunk alerts using config files?
I am new to splunk and I am trying to configure alerts using configuration files, so I used the following savedsearches.conf file but I can't see the new alert in the UI:
[Gurobitest]
# send an email notification
action.email = 1
action.email.to = <my email address>
action.email.useNSSubject = 1
alert.suppress = 0
alert.track = 0
cron_schedule = 0/1 * * * *
#search for results in the last day
dispatch.earliest_time = -1d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","latitude"]
display.page.search.mode = verbose
display.visualizations.charting.chart = area
display.visualizations.type = mapping
enableSched = 1
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = host=<hostname> sourcetype=gurobi_expirationUpvotes: 1
Views: 693
Answers (2)
Reputation: 13
I updated the savedsearches.conf file as you suggested but still can't see the alert
[Gurobitest]
# send an email notification
action.email = 1
action.email.to = <my_email_address>
action.email.useNSSubject = 1
alert.suppress = 0
alert.track = 0
cron_schedule = 0 23 * * *
counttype = number of events
quantity = 0
relation = greater than
#search for results in the last day
dispatch.earliest_time = -1d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","latitude"]
display.page.search.mode = verbose
display.visualizations.charting.chart = area
display.visualizations.type = mapping
enableSched = 1
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = sourcetype=gurobi_expirationUpvotes: 0
Reputation: 9926
There are two issues preventing the alert from being displayed. The first is the cron_schedule setting. Splunk doesn't recognize 0/1 * * * * as a valid cron expression so the alert is ignored. There should be a log message to that effect in index=_internal. Changing the schedule to * * * * * fixed it for me, but that's a short-term solution since it's rarely necessary to run an alert every minute (who will respond that quickly?).
The other issue is the missing counttype setting. It defaults to "always", which makes the search a report rather than an alert. Changing it to "number of events" makes the alert show up on my system.
Upvotes: 1
Related Questions
- What search terms should I use when creating alert that is triggered when there are no logs coming from service in Splunk?
- Splunk REST API: How to set "Send to triggered alerts" action when creating an alert?
- Splunk Alert Creation
- Splunk: Is there a way to get warning lights in Splunk dashboards?
- Setting up Splunk alerting
- Setting up alerts for metrics in Splunk
- How to make an Alert in Splunk?
- Splunk alert based on the search result value
- Splunk: setting up real time alerts
- handling server reboot in splunk alerts