Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Email Alerting error

christinmb
Path Finder
‎01-03-2013 08:19 AM

Hi, I'm having error with the alerts sent by email since I upgraded to Splunk 5.
I have a real time alert search but Im getting this alert sent to my email all day with the same event and I think its something I did wrong in the configuration.
I attach the alert configuration, thanks in advanced.

alt text

0 Karma
Reply

qjvtenkroode
Explorer
‎01-08-2013 05:41 AM

This depends on the window in which the real-time search is run. For example lets assume a window of 30 min and the throttling you have configured (10 min). Now lets say the search has two results (seen at time 0), Splunk sends an email and keeps quiet for 10 min.

Now after 10 min the throttling is turned off and still these two events are seen since the window rolls over 30 min, this time at time 10. Thus another email is send and so on.

Solutions to this can be to decrease or increase the real-time window (once again I don't know your setting since it is not shown in the screenshot), to adjust the condition (ie. number of events greater than 10 instead of 1) or to adjust the throttling time to match the real-time window.

0 Karma
Reply

qjvtenkroode
Explorer
‎01-08-2013 08:57 AM

Well by setting the search to rt, rt and the alert mode to "once per result" you will be alerted for every event after one event is found. (ie. the second, the third, the fourth and so on).

It really depends on what you're trying to achieve.

0 Karma
Reply

christinmb
Path Finder
‎01-08-2013 08:47 AM

The time range i have is:
# start time: rt
# finish time: rt

Alert mode is in "once per results" with the same alert condition showed in the screen shot

And I disabled the Throttling option

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...