Alerting
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Allow skew

toporagno
Explorer
‎03-05-2024 08:03 AM

HI,

I need to know how to set and where the value of allow_skew for the Enterprise Security app, as I have many alerts triggering every 5 minutes.

thank you.

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-06-2024 05:43 PM

allow_skew won't stop alerts from triggering every 5 minutes.  To stop the alerts you have a few options

1) Stop whatever is triggering the alerts

2) Change the threshold of the alert so it's less likely to be triggered

3) Run the alert less frequently

4) Some combination of the above

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kiran_panchavat
Influencer
‎03-06-2024 07:44 AM

@toporagno Remember that savedsearches.conf is a per-app/user configuration file, and the order of precedence matters. Configuration file precedence - Splunk Documentation

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
0 Karma
Reply

kiran_panchavat
Influencer
‎03-06-2024 07:42 AM

@toporagno allow_skew value should be in the savedsearches.conf. You can set the value here. 

For reference the link to the official documentation : Offset scheduled search start times - Splunk Documentation 

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top