Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Ambiguous behavior of Splunk Alert

sarvesh_11
Communicator
‎07-25-2019 11:38 AM

I am getting alert in splunk, when i click the hyperlink "View Result in Splunk",
it is giving me the same what is there in the mail body.
But when i again run the same code for same time window, there is nothing, i.e just hit , the results disappear?
Also, they are false alerts. the correct output is shown when we are rerunning the query.

Now this is frightening, and looses confidence on Splunk. Though its not happening in repetitive manner, its unusual.
My code is :

| makeresults
| eval Field1="1,2,3,4,5"
| eval Field1=split(Field1,",")
| mvexpand Field1
| join type=left Field1
[ search index=x source="abc"(my source is database)
....]

and the code goes onn.
@gordo32 i have seen your inputs on this https://answers.splunk.com/answers/305369/why-the-results-from-triggered-alert-is-different.html. Do you think the "search" will also resolve my thing?

0 Karma
Reply

jawaharas
Motivator
‎07-25-2019 11:31 PM

Are you using relative time (say last 15 min, last 1 hour etc.,) for your search?

0 Karma
Reply

sarvesh_11
Communicator
‎07-26-2019 12:25 AM

@jawaharas Yes i am using Last 15minutes as time window and cron schedule of every 5minutes.

0 Karma
Reply

jawaharas
Motivator
‎07-31-2019 05:24 PM

Is your issue replicable when using absolute time range (from 'timerange' picker, select 'Date & Time Range) instead of relative time (last 15 min) ?

Also, can you share your full Splunk query?

0 Karma
Reply

sarvesh_11
Communicator
‎08-05-2019 01:16 AM

yes, it is replicable!
I am sorry, i cannot share the whole query.
I found something intereting in: https://answers.splunk.com/answers/305369/why-the-results-from-triggered-alert-is-different.html

Using "search" in alert was creating a problem, thankfully i get rid of it 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...