terraform-provider-splunk icon indicating copy to clipboard operation
terraform-provider-splunk copied to clipboard

Published 20 hours ago verified publisher icon splunk

Can't create alert's using splunk_saved_searches it keep create it as report

Open tameraz-tr opened this issue 2 years ago • 4 comments

I am trying to create an alert using "splunk_saved_searches" and it always creates it as a report instead of an alert. For example, I have tried this configuration: resource "splunk_saved_searches" "saved_search" { actions = "email" action_email_format = "table" action_email_max_time = "5m" action_email_send_results = true action_email_subject = "Splunk Alert: $name$" action_email_message_alert = "$name$" action_email_to = "[email protected]" action_email_track_alert = true description = "New search for user01" dispatch_earliest_time = "rt-15m" dispatch_latest_time = "rt-0m" name = "new-search-01" search = "index=main" alert_track = false alert_comparator = "greater than" alert_threshold = 0 acl { app = "search" owner = "admin" sharing = "app" } realtime_schedule = false cron_schedule = "* * * * *" alert_suppress = "true" }

tameraz-tr avatar Mar 01 '23 21:03 tameraz-tr

In order to set the saved search as an alert, you'll need to specify is_scheduled = "true".

Note that when setting the saved search as an alert with the paramater mentioned above and using alert_suppress = "true", you'll also have to specify alert_suppress_period and not leave it empty, otherwise the alert validation would fail and the saved search won't be created.

doronkg avatar Mar 03 '23 15:03 doronkg

I'm running into this as well.

Can anyone provide a minimal example that will produce an email alert instead of a report?

Here's an example of something I'm attempting but it's still being created as a report.

resource "splunk_saved_searches" "example" {
  name        = "alert_name"
  search      = "index=main"
  description = "My description"

  actions = "email"

  action_email_inline        = true
  action_email_message_alert = "Something broke!"
  action_email_send_results  = true
  action_email_subject       = "Splunk Alert: $name$"
  action_email_to            = "[email protected]"
  action_email_track_alert   = true

  cron_schedule = "*/5 * * * *"
  is_scheduled  = true

  dispatch_earliest_time = "-5m@m"
  dispatch_latest_time   = "now"
  dispatch_max_count     = 1

  acl {
    app     = "launcher"
    owner   = "my_user"
    sharing = "app"
  }
}

TIA!

jeffsanicola avatar Apr 14 '23 20:04 jeffsanicola

@jeffsanicola try alert_track = true

okaraev avatar Apr 15 '23 23:04 okaraev

@okaraev - that looks to have done the trick. Thank you!

jeffsanicola avatar Apr 17 '23 14:04 jeffsanicola