Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alert setup

amirarsalan
Explorer
‎01-14-2020 06:36 AM

Hi all!
Need some help to setup an alert. I have created a alert but my issue is that the alert trigger all the time on the same results. My search is like this index="" sourcetype="" Something went wrong when parsing a offer for campaign, result is falsy | dedup campaign.id

I only want once alert per campaign but now i get same alerts on same campaigns.

My setup is:
Earliest: -10m
Cron Expression: */5 * * * *
Trigger: Once
Throttle: 10 minutes

Someone who can help with this?

Tags (1)
0 Karma
Reply

amirarsalan
Explorer
‎01-14-2020 07:41 AM

Hi @gcusello
Here is my code search

index="" sourcetype="" Something went wrong when parsing a offer for campaign, result is falsy | dedup campaign.id

I can change the time. Anyway it stil gives me same alerts

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-14-2020 06:43 AM

Hi @amirarsalan,
you have a ime period of 10 minutes and a frequency schedule of 5 minutes,this means that you use the same data two times in your alerts, could you reduce the time period or enlarge the frequency?
What's your trigger condition: could you share your search using Code Sample button (otherwise I cannot read your code)?

Ciao.
Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-14-2020 08:05 AM

Hi @amirarsalan,
you Use case requires that the alert is triggered when you have results to the search or when the result is higher that a threeshold?

Ciao.
Giuseppe

0 Karma
Reply

amirarsalan
Explorer
‎01-14-2020 01:33 PM

Hi @gcusello
Yes that's correct. But the problem here is that I get same results on my search. So when the alert run the search I got the same results and then I receive the same alert after 10 minutes etc. I want alerts when I have new errors on new campaigns. So I want to receive 1 alert per campaign.id error. Now I get spammed of same alert every 10 minutes

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-14-2020 10:28 PM

Hi @amirarsalan,
you could write the result of the search (the Campaigns) in a lookup (using outputlookup command) or (better) in a summary index (using collect comand) and exclude them from your search.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...