If I run a manual search and then create an alert, modal dialog wizard that walks me through the alert setup requests a semi-colon seperated list of email addresses. However, when editing an alert via the manager, the help text under the email recipient box says a comma-seperated list.
Are both compatible? I am busy trying to troubleshoot why some alerts are not being sent by our splunk server, and it seems to be alerts with multiple email addresses that are breaking.
Where could I get SMTP logs from the server? What other factors might be breaking SMTP alerts from coming through? I have tried both ";" and "," in the alert, and am still not receiving the alert. The search is a real-time search (earliest = "rt" and latest="rt"), and if I run the search manually in real-time I see results coming up.
On linux you can find records of the mailings in
/opt/splunk/var/log/splunk/python.log
Looking like this at the start:
2013-08-19 12:01:08,402 INFO Sending email. subject=<snip!>
You may use either commas or semicolons to separate entries in the recipients list.
yannk - I opened a new question that's more relevant - http://answers.splunk.com/answers/99747/real-time-alerts
Are you saying that when I create a search, neither of "Monitor in real-time over rolling window of..." and "Trigger in real-time whenever a result matches" should be used?
Thanks for the advice. I am refactoring a number of our rt alerts, will run on an hourly schedule. The alert I have was working, and stopped a month ago. The parameters have not changed.
On linux you can find records of the mailings in
/opt/splunk/var/log/splunk/python.log
Looking like this at the start:
2013-08-19 12:01:08,402 INFO Sending email. subject=<snip!>
You may use either commas or semicolons to separate entries in the recipients list.
thanks. its not the emailing that's the problem, must be the alert.
Remark : never use realtime alltime alerts (rt rt), they are very costly in resource and build up memory.
Change your script to just log a line when it's called. the problem may be the argument passing.
Seems like the problem is actually in the alert - I have tracking enabled, and if I create events that should trigger the alert, they are not showing in the alert manager either.
I have tried restarting the Splunk server, and it's still not working.