Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alert setup

amirarsalan
Explorer
‎01-14-2020 06:36 AM

Hi all!
Need some help to setup an alert. I have created a alert but my issue is that the alert trigger all the time on the same results. My search is like this index="" sourcetype="" Something went wrong when parsing a offer for campaign, result is falsy | dedup campaign.id

I only want once alert per campaign but now i get same alerts on same campaigns.

My setup is:
Earliest: -10m
Cron Expression: */5 * * * *
Trigger: Once
Throttle: 10 minutes

Someone who can help with this?

Tags (1)
0 Karma
Reply

amirarsalan
Explorer
‎01-14-2020 07:41 AM

Hi @gcusello
Here is my code search

index="" sourcetype="" Something went wrong when parsing a offer for campaign, result is falsy | dedup campaign.id

I can change the time. Anyway it stil gives me same alerts

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-14-2020 06:43 AM

Hi @amirarsalan,
you have a ime period of 10 minutes and a frequency schedule of 5 minutes,this means that you use the same data two times in your alerts, could you reduce the time period or enlarge the frequency?
What's your trigger condition: could you share your search using Code Sample button (otherwise I cannot read your code)?

Ciao.
Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-14-2020 08:05 AM

Hi @amirarsalan,
you Use case requires that the alert is triggered when you have results to the search or when the result is higher that a threeshold?

Ciao.
Giuseppe

0 Karma
Reply

amirarsalan
Explorer
‎01-14-2020 01:33 PM

Hi @gcusello
Yes that's correct. But the problem here is that I get same results on my search. So when the alert run the search I got the same results and then I receive the same alert after 10 minutes etc. I want alerts when I have new errors on new campaigns. So I want to receive 1 alert per campaign.id error. Now I get spammed of same alert every 10 minutes

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-14-2020 10:28 PM

Hi @amirarsalan,
you could write the result of the search (the Campaigns) in a lookup (using outputlookup command) or (better) in a summary index (using collect comand) and exclude them from your search.

Ciao.
Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...