topic Re: Can someone explain when I would use "Once" versus "Each result" in Alert Trigger actions? in Alerting

Can someone explain when I would use "Once" versus "Each result" in Alert Trigger actions?

splunkn — Mon, 14 Dec 2015 13:27:53 GMT

When would I use "Once" versus "Each result" in Alert Trigger actions?

Trigger : Once / Each result

Is "Each result" something related to throttling?

Could someone explain with any brief example?

Many thanks

Re: Can someone explain when I would use "Once" versus "Each result" in Alert Trigger actions?

jkat54 — Mon, 14 Dec 2015 14:10:16 GMT

"Once" means it will trigger one alert once the threshold (1 or more results by default) is reached .

"Each result" means you get an alert for each result. Often this is used to feed each result through to a python script for additional work.

You may also prefer to receive all events in separate emails for other automation purposes.

For example... if your search identifies 5 servers are down... you may prefer to have emails with specific subjects & bodies related to each server. This way you know your SQL cluster dropped 5 out of 10 servers, and they were these specific 5 servers just by glancing at the subjects of your emails. Otherwise, you'd just get the 5 attached as csv, or inline, etc. and have to open the email. etc.

in case of filtering through to a script, your script might rely on very specific results or not be able to handle an array of results, etc.

Re: Can someone explain when I would use "Once" versus "Each result" in Alert Trigger actions?

javiergn — Mon, 14 Dec 2015 14:13:33 GMT

Assume you want your alert to send an email:

"Each result" is going to send one email per result and you can include the result itself within the body of your message. If your search returns 1000 results, you are going to send 1000 emails
Once will send just 1 email that contains all your results in some sort of report

More info here: http://docs.splunk.com/Documentation/Splunk/6.3.1/Alert/Aboutalerts

Re: Can someone explain when I would use "Once" versus "Each result" in Alert Trigger actions?

frobinson_splun — Mon, 14 Dec 2015 20:13:45 GMT

Throttling can be configured separately for alert triggering suppression. See
http://docs.splunk.com/Documentation/Splunk/6.3.1/Alert/ThrottleAlerts

Re: Can someone explain when I would use "Once" versus "Each result" in Alert Trigger actions?

splunkn — Tue, 15 Dec 2015 06:04:33 GMT

thnaks javi and frob.. now its clear..

Re: Can someone explain when I would use "Once" versus "Each result" in Alert Trigger actions?

splunkn — Tue, 15 Dec 2015 06:16:17 GMT

jkat..Thanks for your reply.. Could you hint out for the following scenario?

Am having lookup which lists all the servers in our environment (say SH,IN,DS..) and deploying a query to check for its internal logs. If internal logs not received for a server we assume Splunk is down. In that case for last 60 min.. the query check for internal logs. Its not there for two components say SH1,SH2 ( all my SH goes down). So in my result it returns both SH1 IP and SH2 IP. If I select "Once" the alert will trigger only once.
If I Select "For each Result" - How it will trigger?
the same alert will trigger twice with both IPs or two alerts with each IP?

Re: Can someone explain when I would use "Once" versus "Each result" in Alert Trigger actions?

jkat54 — Tue, 15 Dec 2015 22:13:30 GMT

it should send two emails, each with the same results. GIve it a shot, it all depends on your alert_actions.conf and version of splunk. Unfortunately I dont know how every version will behave...

Re: Can someone explain when I would use "Once" versus "Each result" in Alert Trigger actions?

Sachin — Fri, 26 Apr 2024 09:43:29 GMT

We have correation configured where we have selected 'Once' option but it is generating notable for each result instead of generating one notable only.

Re: Can someone explain when I would use "Once" versus "Each result" in Alert Trigger actions?

DanielPi — Fri, 26 Apr 2024 12:03:13 GMT

Hi @Sachin,

I’m a Community Moderator in the Splunk Community.

This question was posted 9 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.

Thank you!