Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Allow skew

toporagno
Explorer
‎03-05-2024 08:03 AM

HI,

I need to know how to set and where the value of allow_skew for the Enterprise Security app, as I have many alerts triggering every 5 minutes.

thank you.

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-06-2024 05:43 PM

allow_skew won't stop alerts from triggering every 5 minutes.  To stop the alerts you have a few options

1) Stop whatever is triggering the alerts

2) Change the threshold of the alert so it's less likely to be triggered

3) Run the alert less frequently

4) Some combination of the above

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kiran_panchavat
Communicator
‎03-06-2024 07:44 AM

@toporagno Remember that savedsearches.conf is a per-app/user configuration file, and the order of precedence matters. Configuration file precedence - Splunk Documentation

0 Karma
Reply

kiran_panchavat
Communicator
‎03-06-2024 07:42 AM

@toporagno allow_skew value should be in the savedsearches.conf. You can set the value here. 

For reference the link to the official documentation : Offset scheduled search start times - Splunk Documentation 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...