https://community.splunk.com/t5/Alerting/How-to-stop-a-single-account-email-alert-to-trigger-multiple/m-p/437833#M7627 <P>Perhaps scheduling alerts would be the way to go. We don't have to know the second someone adds an account to domain admins, we just have to know in a reasonable time so we can verify if this action has been approved. Scheduling an alert once a minute should suffice. Can you explain to me how to accomplish scheduled alerts for what I am trying to do?</P> <P>Thank you so much for your help with this.</P> <P>Kenneth</P> Mon, 03 Sep 2018 23:06:55 GMT k45bryant 2018-09-03T23:06:55Z https://community.splunk.com/t5/Alerting/How-to-stop-a-single-account-email-alert-to-trigger-multiple/m-p/437828#M7622 <P>I configured an alert to send an email every time a user is added to the Domain Admins group. I have this alert triggering on eventcode 4728, 4755, etc. The problem is that adding a single account will trigger multiple emails. I want the first event to trigger an email, but all subsequent events not to trigger an email. How do I accomplish this?</P> Sat, 01 Sep 2018 01:46:24 GMT https://community.splunk.com/t5/Alerting/How-to-stop-a-single-account-email-alert-to-trigger-multiple/m-p/437828#M7622 k45bryant 2018-09-01T01:46:24Z https://community.splunk.com/t5/Alerting/How-to-stop-a-single-account-email-alert-to-trigger-multiple/m-p/437829#M7623 <P>What time period are you searching over? You are looking for any events that match those codes in what time period? Do the emails stop?</P> Sun, 02 Sep 2018 01:02:12 GMT https://community.splunk.com/t5/Alerting/How-to-stop-a-single-account-email-alert-to-trigger-multiple/m-p/437829#M7623 burwell 2018-09-02T01:02:12Z https://community.splunk.com/t5/Alerting/How-to-stop-a-single-account-email-alert-to-trigger-multiple/m-p/437830#M7624 <P>Hello Burwell,</P> <P>It is a real-time configuration. As far as I know, the Splunk system monitors the logs and at the very time it receives a log with an EventCode of 4728 or 4755, it triggers an email. This process is instantaneous and not configured for a time period. Did I answer your question?</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5692i7B810F5814C901F8/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Sun, 02 Sep 2018 12:33:22 GMT https://community.splunk.com/t5/Alerting/How-to-stop-a-single-account-email-alert-to-trigger-multiple/m-p/437830#M7624 k45bryant 2018-09-02T12:33:22Z https://community.splunk.com/t5/Alerting/How-to-stop-a-single-account-email-alert-to-trigger-multiple/m-p/437831#M7625 <P>Hi. So I have always avoid real-time alerts because I understand scheduled alerts. It seems the advice is that if you need something to be run frequently, run every minute.</P> <P>When I look at real-time alerts (I am on 6.6.8: <A href="https://docs.splunk.com/Documentation/Splunk/6.6.8/Alert/DefineRealTimeAlerts">https://docs.splunk.com/Documentation/Splunk/6.6.8/Alert/DefineRealTimeAlerts</A>) there are two ways to go.</P> <P>I created an alert with the per-result triggering and made the action be to add to list of triggered alerts (I didn't want to spam myself with email)</P> <P>1) Create a real-time alert with per-result triggering<BR /> I created one of these and could see, as admin, that the alert had a cron schedule of * * * * * (i.e. every minute) but when I caused the search to match and I looked at the triggered alerts, it immediately fired exactly one</P> <P>2) I followed the instructions and removed the per result action. Instead I chose Number of events greater than 0. There was then a window to schedule in. When I went to save I was told "windowed real-time per result alerts require field based alert throttling to be enabled" . I attempted to do that and was told that I had to fill in "supress results containing field value". I was lost.</P> <P>In summary, I think it is way more obvious what is happening to not use a real-time alert. Schedule your alert to run perhaps every minute for maybe the last -2m to last -1m (giving yourself plenty of time to index the event.) The expected behavior is far more understandable.</P> Mon, 03 Sep 2018 22:04:24 GMT https://community.splunk.com/t5/Alerting/How-to-stop-a-single-account-email-alert-to-trigger-multiple/m-p/437831#M7625 burwell 2018-09-03T22:04:24Z https://community.splunk.com/t5/Alerting/How-to-stop-a-single-account-email-alert-to-trigger-multiple/m-p/437832#M7626 <P>I commented in my answer above. I think real-time alerts are too confusing.</P> Mon, 03 Sep 2018 22:04:47 GMT https://community.splunk.com/t5/Alerting/How-to-stop-a-single-account-email-alert-to-trigger-multiple/m-p/437832#M7626 burwell 2018-09-03T22:04:47Z https://community.splunk.com/t5/Alerting/How-to-stop-a-single-account-email-alert-to-trigger-multiple/m-p/437833#M7627 <P>Perhaps scheduling alerts would be the way to go. We don't have to know the second someone adds an account to domain admins, we just have to know in a reasonable time so we can verify if this action has been approved. Scheduling an alert once a minute should suffice. Can you explain to me how to accomplish scheduled alerts for what I am trying to do?</P> <P>Thank you so much for your help with this.</P> <P>Kenneth</P> Mon, 03 Sep 2018 23:06:55 GMT https://community.splunk.com/t5/Alerting/How-to-stop-a-single-account-email-alert-to-trigger-multiple/m-p/437833#M7627 k45bryant 2018-09-03T23:06:55Z https://community.splunk.com/t5/Alerting/How-to-stop-a-single-account-email-alert-to-trigger-multiple/m-p/437834#M7628 <P>Kenneth, you want to schedule an alert on a cron schedule: <BR /> <A href="https://docs.splunk.com/Documentation/Splunk/6.6.8/Alert/AlertSchedulingBestPractices">https://docs.splunk.com/Documentation/Splunk/6.6.8/Alert/AlertSchedulingBestPractices</A></P> <P>Earliest -2m<BR /> Latest -1m<BR /> Cron schedule would be <CODE>* * * * *</CODE><BR /> That's every minute. You might only want to run the alert every 5 minutes. In which case you would</P> <P>Earliest -6m<BR /> Latest -1m<BR /> Cron schedule: <CODE>*/5 * * * *</CODE> which means run the alert every 5 minutes</P> <P>Your search would be something that would include the codes you care about including the index<BR /> e.g. <CODE>index= sourcetype= 4728 OR 4755</CODE></P> <P>If this helps be sure to accept my answer. Thanks.</P> Tue, 04 Sep 2018 06:18:36 GMT https://community.splunk.com/t5/Alerting/How-to-stop-a-single-account-email-alert-to-trigger-multiple/m-p/437834#M7628 burwell 2018-09-04T06:18:36Z