https://community.splunk.com/t5/Alerting/Alert-setup/m-p/487157#M12759 <P>Hi @amirarsalan,<BR /> you have a ime period of 10 minutes and a frequency schedule of 5 minutes,this means that you use the same data two times in your alerts, could you reduce the time period or enlarge the frequency?<BR /> What's your trigger condition: could you share your search using Code Sample button (otherwise I cannot read your code)?</P> <P>Ciao.<BR /> Giuseppe</P> Tue, 14 Jan 2020 14:43:17 GMT gcusello 2020-01-14T14:43:17Z https://community.splunk.com/t5/Alerting/Alert-setup/m-p/487156#M12758 <P>Hi all! <BR /> Need some help to setup an alert. I have created a alert but my issue is that the alert trigger all the time on the same results. My search is like this <STRONG>index="" sourcetype="" Something went wrong when parsing a offer for campaign, result is falsy | dedup campaign.id</STRONG></P> <P>I only want once alert per campaign but now i get same alerts on same campaigns.</P> <P>My setup is: <BR /> Earliest: -10m<BR /> Cron Expression: */5 * * * *<BR /> Trigger: Once<BR /> Throttle: 10 minutes</P> <P>Someone who can help with this?</P> Tue, 14 Jan 2020 14:36:46 GMT https://community.splunk.com/t5/Alerting/Alert-setup/m-p/487156#M12758 amirarsalan 2020-01-14T14:36:46Z https://community.splunk.com/t5/Alerting/Alert-setup/m-p/487157#M12759 <P>Hi @amirarsalan,<BR /> you have a ime period of 10 minutes and a frequency schedule of 5 minutes,this means that you use the same data two times in your alerts, could you reduce the time period or enlarge the frequency?<BR /> What's your trigger condition: could you share your search using Code Sample button (otherwise I cannot read your code)?</P> <P>Ciao.<BR /> Giuseppe</P> Tue, 14 Jan 2020 14:43:17 GMT https://community.splunk.com/t5/Alerting/Alert-setup/m-p/487157#M12759 gcusello 2020-01-14T14:43:17Z https://community.splunk.com/t5/Alerting/Alert-setup/m-p/487158#M12760 <P>Hi @gcusello <BR /> Here is my code search</P> <PRE><CODE>index="" sourcetype="" Something went wrong when parsing a offer for campaign, result is falsy | dedup campaign.id </CODE></PRE> <P>I can change the time. Anyway it stil gives me same alerts</P> Tue, 14 Jan 2020 15:41:28 GMT https://community.splunk.com/t5/Alerting/Alert-setup/m-p/487158#M12760 amirarsalan 2020-01-14T15:41:28Z https://community.splunk.com/t5/Alerting/Alert-setup/m-p/487159#M12761 <P>Hi @amirarsalan,<BR /> you Use case requires that the alert is triggered when you have results to the search or when the result is higher that a threeshold?</P> <P>Ciao.<BR /> Giuseppe</P> Tue, 14 Jan 2020 16:05:15 GMT https://community.splunk.com/t5/Alerting/Alert-setup/m-p/487159#M12761 gcusello 2020-01-14T16:05:15Z https://community.splunk.com/t5/Alerting/Alert-setup/m-p/487160#M12762 <P>Hi @gcusello<BR /> Yes that's correct. But the problem here is that I get same results on my search. So when the alert run the search I got the same results and then I receive the same alert after 10 minutes etc. I want alerts when I have new errors on new campaigns. So I want to receive 1 alert per campaign.id error. Now I get spammed of same alert every 10 minutes</P> Tue, 14 Jan 2020 21:33:47 GMT https://community.splunk.com/t5/Alerting/Alert-setup/m-p/487160#M12762 amirarsalan 2020-01-14T21:33:47Z https://community.splunk.com/t5/Alerting/Alert-setup/m-p/487161#M12763 <P>Hi @amirarsalan,<BR /> you could write the result of the search (the Campaigns) in a lookup (using outputlookup command) or (better) in a summary index (using collect comand) and exclude them from your search. </P> <P>Ciao.<BR /> Giuseppe</P> Wed, 15 Jan 2020 06:28:26 GMT https://community.splunk.com/t5/Alerting/Alert-setup/m-p/487161#M12763 gcusello 2020-01-15T06:28:26Z