Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

splunk_saved_searches not able to create alert #166

Open
acw-eng opened this issue Jun 8, 2023 · 2 comments
Open

splunk_saved_searches not able to create alert #166

acw-eng opened this issue Jun 8, 2023 · 2 comments

Comments

@acw-eng
Copy link

acw-eng commented Jun 8, 2023
edited
Loading

Affected Resource(s)

splunk_saved_searches

Description

We have, relatively recently, been using the splunk_saved_searches resource to create alerts. However this no longer appears we work. It will always create the saved search as a "Report" rather than an "Alert" - even if the correct attributes are set that should create it as an alert.

For example this simple resource should, and previously would have created an "Alert"

resource "splunk_saved_searches" "basic_alert" {
  name                       = "basic alert"
  actions                    = "slack"
  action_slack_param_channel = slack_conversation.some_channel.name
  search                     = "index=foo string=bar"
}

I have tested many combinations of attributes such as alert_digest_mode, alert_type, alert_track and is_scheduled however all have the same result - creating a Report rather than an Alert.

Indeed alerts we have previously created using Terraform have been reverted to reports.

Versions

  • Splunk Cloud
  • Terraform v1.4.6 on darwin_amd64
  • provider registry.terraform.io/splunk/splunk v1.4.19
@cbaxtersf
Copy link

I'm able to do this with the following fields set:

name        = var.name
description = var.description

alert_condition   = ""
alert_digest_mode = true
is_scheduled      = true
alert_track       = true
alert_severity    = var.alert_severity

alert_type       = null
alert_comparator = null
alert_threshold  = null

search = trimspace(var.search)

cron_schedule          = var.cron_schedule
dispatch_earliest_time = var.dispatch_earliest_time
dispatch_latest_time   = "now"

@msantos-repay
Copy link

I also cannot create the alert/saved search. It throws the following error:

Error: 400 Bad Request: {"messages":[{"type":"ERROR","text":"windowed real-time per result alerts require field based alert throttling to be enabled"}]}

I'm trying to pass alert_type as number of events. One colleague told me it only works by creating as an always running alarm:

alert_type             = "always"
cron_schedule          = "* * * * *"
dispatch_earliest_time = "rt"
dispatch_latest_time   = "rt"
is_scheduled           = true

Version: 1.4.22

But we need to pass as number of events and the proper cron expression.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cbaxtersf @acw-eng @msantos-repay