https://community.splunk.com/t5/Alerting/How-to-send-alert-once-if-message-doesn-t-change/m-p/621677#M14522 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;This is my configuration:</P><P>Sorry it's in french but the function is same as in english. Do you find where I can do it please?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Julia1231_0-1669114910106.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/22586i031F7B1CD61A2C1D/image-size/medium?v=v2&amp;px=400" role="button" title="Julia1231_0-1669114910106.png" alt="Julia1231_0-1669114910106.png" /></span></P><P>&nbsp;</P> Tue, 22 Nov 2022 11:03:26 GMT Julia1231 2022-11-22T11:03:26Z https://community.splunk.com/t5/Alerting/How-to-send-alert-once-if-message-doesn-t-change/m-p/621671#M14520 <P>Hi,</P> <P>I am doing the sending alert if a machine has no activity in the span = 1h.</P> <P>I configure to send it each hour. The thing is if the machine has no activity at 7:00, it will send the alert every hour (7h, 8h, 9h, etc) saying the same message that the machine has no activity at 7:00</P> <P>Is anyway to send it once if the message is always the same (in this case, machine has no activity at 7:00).</P> <P>If the machine is restarted, it has activities from 10:00 - 15:00, then it downs, I will receive an alert saying that machine has no activity at 15:00)</P> <P>&nbsp;</P> <P>Thanks in advanced.</P> Tue, 22 Nov 2022 16:01:14 GMT https://community.splunk.com/t5/Alerting/How-to-send-alert-once-if-message-doesn-t-change/m-p/621671#M14520 Julia1231 2022-11-22T16:01:14Z https://community.splunk.com/t5/Alerting/How-to-send-alert-once-if-message-doesn-t-change/m-p/621674#M14521 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/245583">@Julia1231</a>,</P><P>did you tried to configure throttling for your alert?</P><P>You can do this in the alert definition page.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 22 Nov 2022 10:47:46 GMT https://community.splunk.com/t5/Alerting/How-to-send-alert-once-if-message-doesn-t-change/m-p/621674#M14521 gcusello 2022-11-22T10:47:46Z https://community.splunk.com/t5/Alerting/How-to-send-alert-once-if-message-doesn-t-change/m-p/621677#M14522 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;This is my configuration:</P><P>Sorry it's in french but the function is same as in english. Do you find where I can do it please?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Julia1231_0-1669114910106.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/22586i031F7B1CD61A2C1D/image-size/medium?v=v2&amp;px=400" role="button" title="Julia1231_0-1669114910106.png" alt="Julia1231_0-1669114910106.png" /></span></P><P>&nbsp;</P> Tue, 22 Nov 2022 11:03:26 GMT https://community.splunk.com/t5/Alerting/How-to-send-alert-once-if-message-doesn-t-change/m-p/621677#M14522 Julia1231 2022-11-22T11:03:26Z https://community.splunk.com/t5/Alerting/How-to-send-alert-once-if-message-doesn-t-change/m-p/621678#M14523 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/245583">@Julia1231</a>,</P><P>you have to flag "Throttle" and define a time period that the alert will not be fired.</P><P>Only for the next time if you go in the address bar of your browser, replace "fr-FR" with "en-US", you'll have the dashboard in english, I'm italian and I usually have the same problem.</P><P>ciao.</P><P>Giuseppe</P> Tue, 22 Nov 2022 11:07:29 GMT https://community.splunk.com/t5/Alerting/How-to-send-alert-once-if-message-doesn-t-change/m-p/621678#M14523 gcusello 2022-11-22T11:07:29Z https://community.splunk.com/t5/Alerting/How-to-send-alert-once-if-message-doesn-t-change/m-p/621703#M14527 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;thank you.&nbsp;</P><P>So what I understand, because the Throttle goes with the Suppress triggering for (time), I can only suppress for the period that I define here.</P><P>For example if I put the suppress triggering for 3 hours, I will always receive the same email each 3h? It can reduce the number of duplicate email sent but cannot avoid, is it true?<BR />And even if my machine is restarted, it has activity again, there is always the alert sent for inform a fault in the pass.&nbsp;</P><P>Thanks,</P><P>Julia</P> Tue, 22 Nov 2022 14:26:17 GMT https://community.splunk.com/t5/Alerting/How-to-send-alert-once-if-message-doesn-t-change/m-p/621703#M14527 Julia1231 2022-11-22T14:26:17Z https://community.splunk.com/t5/Alerting/How-to-send-alert-once-if-message-doesn-t-change/m-p/621807#M14528 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/245583">@Julia1231</a>,</P><P>my hint is to analyze throttle feature to use it at the best.</P><P>Otherwise a much more complicated workaround is to to write all your alerts in a summary index (as e.g. ES does) and then use this summary index to exclude the triggered alerts from results, but, as I said, it isn't so immediate to realize.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 23 Nov 2022 07:48:53 GMT https://community.splunk.com/t5/Alerting/How-to-send-alert-once-if-message-doesn-t-change/m-p/621807#M14528 gcusello 2022-11-23T07:48:53Z