Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't create alert's using splunk_saved_searches it keep create it as report #150

Open
tameraz-tr opened this issue Mar 1, 2023 · 4 comments
Open

Can't create alert's using splunk_saved_searches it keep create it as report #150

tameraz-tr opened this issue Mar 1, 2023 · 4 comments

Comments

@tameraz-tr
Copy link

I am trying to create an alert using "splunk_saved_searches" and it always creates it as a report instead of an alert.
For example, I have tried this configuration:
resource "splunk_saved_searches" "saved_search" {
actions = "email"
action_email_format = "table"
action_email_max_time = "5m"
action_email_send_results = true
action_email_subject = "Splunk Alert: $name$"
action_email_message_alert = "$name$"
action_email_to = "[email protected]"
action_email_track_alert = true
description = "New search for user01"
dispatch_earliest_time = "rt-15m"
dispatch_latest_time = "rt-0m"
name = "new-search-01"
search = "index=main"
alert_track = false
alert_comparator = "greater than"
alert_threshold = 0
acl {
app = "search"
owner = "admin"
sharing = "app"
}
realtime_schedule = false
cron_schedule = "* * * * *"
alert_suppress = "true"
}
@doronkg
Copy link

doronkg commented Mar 3, 2023

In order to set the saved search as an alert, you'll need to specify is_scheduled = "true".

Note that when setting the saved search as an alert with the paramater mentioned above and using alert_suppress = "true", you'll also have to specify alert_suppress_period and not leave it empty, otherwise the alert validation would fail and the saved search won't be created.

@jeffsanicola
Copy link

I'm running into this as well.

Can anyone provide a minimal example that will produce an email alert instead of a report?

Here's an example of something I'm attempting but it's still being created as a report.

resource "splunk_saved_searches" "example" {
  name        = "alert_name"
  search      = "index=main"
  description = "My description"

  actions = "email"

  action_email_inline        = true
  action_email_message_alert = "Something broke!"
  action_email_send_results  = true
  action_email_subject       = "Splunk Alert: $name$"
  action_email_to            = "[email protected]"
  action_email_track_alert   = true

  cron_schedule = "*/5 * * * *"
  is_scheduled  = true

  dispatch_earliest_time = "-5m@m"
  dispatch_latest_time   = "now"
  dispatch_max_count     = 1

  acl {
    app     = "launcher"
    owner   = "my_user"
    sharing = "app"
  }
}

TIA!

@okaraev
Copy link

okaraev commented Apr 15, 2023

@jeffsanicola try alert_track = true

@jeffsanicola
Copy link

@okaraev - that looks to have done the trick. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jeffsanicola @tameraz-tr @doronkg @okaraev