https://community.splunk.com/t5/Alerting/Ambiguous-behavior-of-Splunk-Alert/m-p/407080#M12562 <P>@jawaharas Yes i am using Last 15minutes as time window and cron schedule of every 5minutes.</P> Fri, 26 Jul 2019 07:25:04 GMT sarvesh_11 2019-07-26T07:25:04Z https://community.splunk.com/t5/Alerting/Ambiguous-behavior-of-Splunk-Alert/m-p/407078#M12560 <P>I am getting alert in splunk, when i click the hyperlink "View Result in Splunk", <BR /> it is giving me the same what is there in the mail body. <BR /> But when i again run the same code for same time window, there is nothing, i.e just hit , the results disappear?<BR /> Also, they are false alerts. the correct output is shown when we are rerunning the query.</P> <P>Now this is frightening, and looses confidence on Splunk. Though its not happening in repetitive manner, its unusual.<BR /> My code is :</P> <P>| makeresults<BR /> | eval Field1="1,2,3,4,5"<BR /> | eval Field1=split(Field1,",")<BR /> | mvexpand Field1<BR /> | join type=left Field1<BR /> [ search index=x source="abc"(my source is database)<BR /> ....] </P> <P>and the code goes onn.<BR /> @gordo32 i have seen your inputs on this <A href="https://answers.splunk.com/answers/305369/why-the-results-from-triggered-alert-is-different.html">https://answers.splunk.com/answers/305369/why-the-results-from-triggered-alert-is-different.html</A>. Do you think the "search" will also resolve my thing?</P> Thu, 25 Jul 2019 18:38:11 GMT https://community.splunk.com/t5/Alerting/Ambiguous-behavior-of-Splunk-Alert/m-p/407078#M12560 sarvesh_11 2019-07-25T18:38:11Z https://community.splunk.com/t5/Alerting/Ambiguous-behavior-of-Splunk-Alert/m-p/407079#M12561 <P>Are you using relative time (say last 15 min, last 1 hour etc.,) for your search?</P> Fri, 26 Jul 2019 06:31:25 GMT https://community.splunk.com/t5/Alerting/Ambiguous-behavior-of-Splunk-Alert/m-p/407079#M12561 jawaharas 2019-07-26T06:31:25Z https://community.splunk.com/t5/Alerting/Ambiguous-behavior-of-Splunk-Alert/m-p/407080#M12562 <P>@jawaharas Yes i am using Last 15minutes as time window and cron schedule of every 5minutes.</P> Fri, 26 Jul 2019 07:25:04 GMT https://community.splunk.com/t5/Alerting/Ambiguous-behavior-of-Splunk-Alert/m-p/407080#M12562 sarvesh_11 2019-07-26T07:25:04Z https://community.splunk.com/t5/Alerting/Ambiguous-behavior-of-Splunk-Alert/m-p/407081#M12563 <P>Is your issue replicable when using absolute time range (from 'timerange' picker, select 'Date &amp; Time Range) instead of relative time (last 15 min) ?</P> <P>Also, can you share your full Splunk query?</P> Thu, 01 Aug 2019 00:24:14 GMT https://community.splunk.com/t5/Alerting/Ambiguous-behavior-of-Splunk-Alert/m-p/407081#M12563 jawaharas 2019-08-01T00:24:14Z https://community.splunk.com/t5/Alerting/Ambiguous-behavior-of-Splunk-Alert/m-p/407082#M12564 <P>yes, it is replicable!<BR /> I am sorry, i cannot share the whole query.<BR /> I found something intereting in: <A href="https://answers.splunk.com/answers/305369/why-the-results-from-triggered-alert-is-different.html">https://answers.splunk.com/answers/305369/why-the-results-from-triggered-alert-is-different.html</A> </P> <P>Using "search" in alert was creating a problem, thankfully i get rid of it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 05 Aug 2019 08:16:56 GMT https://community.splunk.com/t5/Alerting/Ambiguous-behavior-of-Splunk-Alert/m-p/407082#M12564 sarvesh_11 2019-08-05T08:16:56Z