search

splunk / terraform-provider-splunk

Terraform Provider for Splunk
Mozilla Public License 2.0
102 stars 75 forks source link

splunk_saved_searches not able to create alert #166

Open acw-eng opened 1 year ago

acw-eng commented 1 year ago

Affected Resource(s)

splunk_saved_searches

Description

We have, relatively recently, been using the splunk_saved_searches resource to create alerts. However this no longer appears we work. It will always create the saved search as a "Report" rather than an "Alert" - even if the correct attributes are set that should create it as an alert.

For example this simple resource should, and previously would have created an "Alert"

resource "splunk_saved_searches" "basic_alert" {
  name                       = "basic alert"
  actions                    = "slack"
  action_slack_param_channel = slack_conversation.some_channel.name
  search                     = "index=foo string=bar"
}

I have tested many combinations of attributes such as alert_digest_mode, alert_type, alert_track and is_scheduled however all have the same result - creating a Report rather than an Alert.

Indeed alerts we have previously created using Terraform have been reverted to reports.

Versions

cbaxtersf commented 1 year ago

I'm able to do this with the following fields set:

name        = var.name
  description = var.description

  alert_condition   = ""
  alert_digest_mode = true
  is_scheduled      = true
  alert_track       = true
  alert_severity    = var.alert_severity

  alert_type       = null
  alert_comparator = null
  alert_threshold  = null

  search = trimspace(var.search)

  cron_schedule          = var.cron_schedule
  dispatch_earliest_time = var.dispatch_earliest_time
  dispatch_latest_time   = "now"
msantos-repay commented 11 months ago

I also cannot create the alert/saved search. It throws the following error:

Error: 400 Bad Request: {"messages":[{"type":"ERROR","text":"windowed real-time per result alerts require field based alert throttling to be enabled"}]}

I'm trying to pass alert_type as number of events. One colleague told me it only works by creating as an always running alarm:

alert_type             = "always"
   cron_schedule          = "* * * * *"
   dispatch_earliest_time = "rt"
   dispatch_latest_time   = "rt"
   is_scheduled           = true

Version: 1.4.22

But we need to pass as number of events and the proper cron expression.