Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

what's the correct format for multiple email addresses in an alert?

brettcave
Builder
‎08-19-2013 08:51 AM

If I run a manual search and then create an alert, modal dialog wizard that walks me through the alert setup requests a semi-colon seperated list of email addresses. However, when editing an alert via the manager, the help text under the email recipient box says a comma-seperated list.

Are both compatible? I am busy trying to troubleshoot why some alerts are not being sent by our splunk server, and it seems to be alerts with multiple email addresses that are breaking.

Where could I get SMTP logs from the server? What other factors might be breaking SMTP alerts from coming through? I have tried both ";" and "," in the alert, and am still not receiving the alert. The search is a real-time search (earliest = "rt" and latest="rt"), and if I run the search manually in real-time I see results coming up.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

wrangler2x
Motivator
‎08-19-2013 12:55 PM

On linux you can find records of the mailings in

/opt/splunk/var/log/splunk/python.log

Looking like this at the start:

2013-08-19 12:01:08,402 INFO Sending email. subject=<snip!>

You may use either commas or semicolons to separate entries in the recipients list.

View solution in original post

Reply
Solved! Jump to solution

brettcave
Builder
‎08-20-2013 08:40 AM

yannk - I opened a new question that's more relevant - http://answers.splunk.com/answers/99747/real-time-alerts

0 Karma
Reply
Solved! Jump to solution

brettcave
Builder
‎08-20-2013 04:51 AM

Are you saying that when I create a search, neither of "Monitor in real-time over rolling window of..." and "Trigger in real-time whenever a result matches" should be used?

0 Karma
Reply
Solved! Jump to solution

brettcave
Builder
‎08-20-2013 04:49 AM

Thanks for the advice. I am refactoring a number of our rt alerts, will run on an hourly schedule. The alert I have was working, and stopped a month ago. The parameters have not changed.

0 Karma
Reply
Solved! Jump to solution
Solution

wrangler2x
Motivator
‎08-19-2013 12:55 PM

On linux you can find records of the mailings in

/opt/splunk/var/log/splunk/python.log

Looking like this at the start:

2013-08-19 12:01:08,402 INFO Sending email. subject=<snip!>

You may use either commas or semicolons to separate entries in the recipients list.

Reply
Solved! Jump to solution

brettcave
Builder
‎08-20-2013 04:33 AM

thanks. its not the emailing that's the problem, must be the alert.

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎08-19-2013 10:39 AM

Remark : never use realtime alltime alerts (rt rt), they are very costly in resource and build up memory.

Change your script to just log a line when it's called. the problem may be the argument passing.

0 Karma
Reply
Solved! Jump to solution

brettcave
Builder
‎08-19-2013 08:53 AM

Seems like the problem is actually in the alert - I have tracking enabled, and if I create events that should trigger the alert, they are not showing in the alert manager either.

I have tried restarting the Splunk server, and it's still not working.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...