Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Allow skew

toporagno
Explorer
‎03-05-2024 08:03 AM

HI,

I need to know how to set and where the value of allow_skew for the Enterprise Security app, as I have many alerts triggering every 5 minutes.

thank you.

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-06-2024 05:43 PM

allow_skew won't stop alerts from triggering every 5 minutes.  To stop the alerts you have a few options

1) Stop whatever is triggering the alerts

2) Change the threshold of the alert so it's less likely to be triggered

3) Run the alert less frequently

4) Some combination of the above

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-06-2024 07:44 AM

@toporagno Remember that savedsearches.conf is a per-app/user configuration file, and the order of precedence matters. Configuration file precedence - Splunk Documentation

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-06-2024 07:42 AM

@toporagno allow_skew value should be in the savedsearches.conf. You can set the value here. 

For reference the link to the official documentation : Offset scheduled search start times - Splunk Documentation 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...