https://community.splunk.com/t5/Splunk-Search/realtime-alert-for-each-event-when-reaching-x-number-in-y-mins/m-p/304338#M162778 <P>i did try that, i think it actually stopped it from working as i am not getting any alerts now. </P> Thu, 22 Feb 2018 14:45:02 GMT jdinze 2018-02-22T14:45:02Z https://community.splunk.com/t5/Splunk-Search/realtime-alert-for-each-event-when-reaching-x-number-in-y-mins/m-p/304335#M162775 <P>I am trying to configure a real time alert that will fire off one alert for each event found in a search. I want one alert per event, which i think i can do. the catch is i only want this to happen when there are 10 or more events in a specified time window (like 10 or more events in 5 mins). </P> <P>I tried setting up a realtime alert with the following parameters, but it seems like the results aren't consistent. am i doing this completely wrong?</P> <P>(basically just searching an index for alerts, this index shouldn't have many but i want to know when there are 10 or more events in 5 mins and what each one is)<BR /> Search: index=test<BR /> Trigger Condition: Number of results &gt; 10, in 5 min, trigger for each result</P> <P>This requires a throttle, but i dont want one so i set the field to one that wouldnt exist and the smallest suppression timer.<BR /><BR /> Throttle: suppression field = "none"<BR /> suppress triggering for 1 sec</P> <P>Thanks,<BR /> splunk noob</P> Thu, 22 Feb 2018 09:26:51 GMT https://community.splunk.com/t5/Splunk-Search/realtime-alert-for-each-event-when-reaching-x-number-in-y-mins/m-p/304335#M162775 jdinze 2018-02-22T09:26:51Z https://community.splunk.com/t5/Splunk-Search/realtime-alert-for-each-event-when-reaching-x-number-in-y-mins/m-p/304336#M162776 <P>So you can modify your search as</P> <PRE><CODE>index=test | table _raw </CODE></PRE> <P>What trigger actions you are using? <BR /> If you are using <CODE>email</CODE> then you need to <CODE>attach csv/pdf</CODE> in order to see raw events<BR /> If you want to see on Splunk then you need to choose <CODE>Add to triggered alerts</CODE> as alert action </P> <P>Let me know if this helps!</P> Thu, 22 Feb 2018 10:17:45 GMT https://community.splunk.com/t5/Splunk-Search/realtime-alert-for-each-event-when-reaching-x-number-in-y-mins/m-p/304336#M162776 mayurr98 2018-02-22T10:17:45Z https://community.splunk.com/t5/Splunk-Search/realtime-alert-for-each-event-when-reaching-x-number-in-y-mins/m-p/304337#M162777 <P>I want to try this, but can you tell me what table _raw does differently when it comes to triggering per result?</P> <P>This is a custom alert action that sends an http notification to another system. i need one notification per result in the search (when the search yields more than 10 results). the external system will be utilizing these alerts with source IP information contained in the alert. </P> Thu, 22 Feb 2018 14:30:17 GMT https://community.splunk.com/t5/Splunk-Search/realtime-alert-for-each-event-when-reaching-x-number-in-y-mins/m-p/304337#M162777 jdinze 2018-02-22T14:30:17Z https://community.splunk.com/t5/Splunk-Search/realtime-alert-for-each-event-when-reaching-x-number-in-y-mins/m-p/304338#M162778 <P>i did try that, i think it actually stopped it from working as i am not getting any alerts now. </P> Thu, 22 Feb 2018 14:45:02 GMT https://community.splunk.com/t5/Splunk-Search/realtime-alert-for-each-event-when-reaching-x-number-in-y-mins/m-p/304338#M162778 jdinze 2018-02-22T14:45:02Z