Hi All,
I ran into an issue where certain searches seem to caused scripted alert actions to fail. In trying to figure out what was wrong, I created a VERY basic search, and a VERY basic scripted alert... Essentially, echo.bat, which echos some parameters to a local splunk drive. I configured the alert to ALWAYS fire, regardless of the resuls, and also configured an email alert so I'd get double verification that the search was running. With the simple search, this works exactly as expected.. So I simply CLONED the search, and then replaced the simple search with my more complex search.. I still get the email every minute, but the echo.bat does not work. Seems to me that their is a bug in the system.. anyone else run across this? BTW.. here's the searches I used...
Search 1 exception | stats count by host
Search 2 index=summary search_name=IIS earliest=-2d@d latest=-1d@d | regex search_name="IIS_(ORDER|PRODUCT|WWW)" | stats avg(response_time) as rt_yesterday by search_name |append maxtime=600 [search index=summary search_name=IIS earliest=-60m@m latest=-0m@m | regex search_name="IIS_(ORDER|PRODUCT|WWW)" | stats avg(response_time) as rt_today by search_name] | stats values(rt_yesterday) as yesterday values(rt_today) as today by search_name | eval %change = (today-yesterday)/yesterday*10