https://community.splunk.com/t5/Splunk-Dev/How-can-I-delete-the-following-duplicate-alerts/m-p/447264#M8138 <P>You're getting duplicate alerts because of the way you setup your cron schedule and the timerange. Your timerange is saying look back the last 60 minutes and run the alert every 30 minutes. Maybe an example will clear this up</P> <P>Say its 6pm and your alert fires and checks if the count is greater than 0. The alert will look from 5pm - 6pm.. At 5:59pm you did have a result count greater than 0, so this triggers an alert action. Then your alert fires again at 6:30pm and looks over the timerange 5:30pm - 6:30pm and sees the exact same condition that the first alert fired (i.e. at 5:59pm). You need to either decrease your timerange to have it match the cron expression or increase your cron expression to match the timerange </P> Fri, 14 Dec 2018 14:46:39 GMT skoelpin 2018-12-14T14:46:39Z https://community.splunk.com/t5/Splunk-Dev/How-can-I-delete-the-following-duplicate-alerts/m-p/447260#M8134 <PRE><CODE>index=av source=avRawvirusAlertLog | table CLIENTTIME, CLIENTIPADDR, NAME, PATH, STATUS_msg, SCANTYPE_msg </CODE></PRE> <P>edit alert<BR /> alert type: reserved<BR /> time range: Last 60 minutes<BR /> cron: <EM>/30</EM>***<BR /> trigger: result count &gt; 0<BR /> trigger: once</P> <P>when I receive Splunk alert, always duplicate twice..</P> <P>How can I solve it?</P> Fri, 14 Dec 2018 08:16:12 GMT https://community.splunk.com/t5/Splunk-Dev/How-can-I-delete-the-following-duplicate-alerts/m-p/447260#M8134 lifekis 2018-12-14T08:16:12Z https://community.splunk.com/t5/Splunk-Dev/How-can-I-delete-the-following-duplicate-alerts/m-p/447261#M8135 <P>Your cron expression looks weird. If you meant every 30 minutes then type:</P> <PRE><CODE>*/30 * * * * </CODE></PRE> <P>EDIT: Never mind. I can see this is a formatting issue on splunkanswers when not using code blocks.</P> Fri, 14 Dec 2018 12:46:28 GMT https://community.splunk.com/t5/Splunk-Dev/How-can-I-delete-the-following-duplicate-alerts/m-p/447261#M8135 whrg 2018-12-14T12:46:28Z https://community.splunk.com/t5/Splunk-Dev/How-can-I-delete-the-following-duplicate-alerts/m-p/447262#M8136 <P>What are you receiving? An e-mail or other thing?</P> <P>Can you add information about time of alerts and logs who trigger the alert?</P> Fri, 14 Dec 2018 13:21:51 GMT https://community.splunk.com/t5/Splunk-Dev/How-can-I-delete-the-following-duplicate-alerts/m-p/447262#M8136 osakachan 2018-12-14T13:21:51Z https://community.splunk.com/t5/Splunk-Dev/How-can-I-delete-the-following-duplicate-alerts/m-p/447263#M8137 <P>First I would ask if you are getting multiple results in your search. Next I would ask if you are triggering the alert Once, or for each result. If for each result, are you seeing duplicate values for the results. For example if you want an alert for each CLIENTIPADDR, and you possible have 2 rows in your table with the same value for CLIENTIPADDR. If so, you could use dedup in your search or something. Have you tried throttling in the alert config? </P> Fri, 14 Dec 2018 14:22:58 GMT https://community.splunk.com/t5/Splunk-Dev/How-can-I-delete-the-following-duplicate-alerts/m-p/447263#M8137 kmorris_splunk 2018-12-14T14:22:58Z https://community.splunk.com/t5/Splunk-Dev/How-can-I-delete-the-following-duplicate-alerts/m-p/447264#M8138 <P>You're getting duplicate alerts because of the way you setup your cron schedule and the timerange. Your timerange is saying look back the last 60 minutes and run the alert every 30 minutes. Maybe an example will clear this up</P> <P>Say its 6pm and your alert fires and checks if the count is greater than 0. The alert will look from 5pm - 6pm.. At 5:59pm you did have a result count greater than 0, so this triggers an alert action. Then your alert fires again at 6:30pm and looks over the timerange 5:30pm - 6:30pm and sees the exact same condition that the first alert fired (i.e. at 5:59pm). You need to either decrease your timerange to have it match the cron expression or increase your cron expression to match the timerange </P> Fri, 14 Dec 2018 14:46:39 GMT https://community.splunk.com/t5/Splunk-Dev/How-can-I-delete-the-following-duplicate-alerts/m-p/447264#M8138 skoelpin 2018-12-14T14:46:39Z https://community.splunk.com/t5/Splunk-Dev/How-can-I-delete-the-following-duplicate-alerts/m-p/447265#M8139 <P>I got an email.<BR /> receive the same message 30 minutes after receiving the first warning message.</P> Mon, 17 Dec 2018 07:11:21 GMT https://community.splunk.com/t5/Splunk-Dev/How-can-I-delete-the-following-duplicate-alerts/m-p/447265#M8139 lifekis 2018-12-17T07:11:21Z https://community.splunk.com/t5/Splunk-Dev/How-can-I-delete-the-following-duplicate-alerts/m-p/447266#M8140 <P>You should read my answer below if you want to fix your issue... </P> Mon, 17 Dec 2018 14:32:39 GMT https://community.splunk.com/t5/Splunk-Dev/How-can-I-delete-the-following-duplicate-alerts/m-p/447266#M8140 skoelpin 2018-12-17T14:32:39Z