Can't create alert's using splunk_saved_searches it keep create it as report

splunk / terraform-provider-splunk

Terraform Provider for Splunk

Mozilla Public License 2.0

103 stars 77 forks source link

Can't create alert's using splunk_saved_searches it keep create it as report #150

Open tameraz-tr opened 1 year ago

tameraz-tr commented 1 year ago

I am trying to create an alert using "splunk_saved_searches" and it always creates it as a report instead of an alert. For example, I have tried this configuration: resource "splunk_saved_searches" "saved_search" { actions = "email" action_email_format = "table" action_email_max_time = "5m" action_email_send_results = true action_email_subject = "Splunk Alert: $name$" action_email_message_alert = "$name$" action_email_to = "user01@splunk.com" action_email_track_alert = true description = "New search for user01" dispatch_earliest_time = "rt-15m" dispatch_latest_time = "rt-0m" name = "new-search-01" search = "index=main" alert_track = false alert_comparator = "greater than" alert_threshold = 0 acl { app = "search" owner = "admin" sharing = "app" } realtime_schedule = false cron_schedule = " *" alert_suppress = "true" }

doronkg commented 1 year ago

In order to set the saved search as an alert, you'll need to specify is_scheduled = "true".

Note that when setting the saved search as an alert with the paramater mentioned above and using alert_suppress = "true", you'll also have to specify alert_suppress_period and not leave it empty, otherwise the alert validation would fail and the saved search won't be created.

jeffsanicola commented 1 year ago

I'm running into this as well.

Can anyone provide a minimal example that will produce an email alert instead of a report?

Here's an example of something I'm attempting but it's still being created as a report.

resource "splunk_saved_searches" "example" {
  name        = "alert_name"
  search      = "index=main"
  description = "My description"

  actions = "email"

  action_email_inline        = true
  action_email_message_alert = "Something broke!"
  action_email_send_results  = true
  action_email_subject       = "Splunk Alert: $name$"
  action_email_to            = "user@example.com"
  action_email_track_alert   = true

  cron_schedule = "*/5 * * * *"
  is_scheduled  = true

  dispatch_earliest_time = "-5m@m"
  dispatch_latest_time   = "now"
  dispatch_max_count     = 1

  acl {
    app     = "launcher"
    owner   = "my_user"
    sharing = "app"
  }
}

TIA!

okaraev commented 1 year ago

@jeffsanicola try alert_track = true

jeffsanicola commented 1 year ago

@okaraev - that looks to have done the trick. Thank you!