Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Help in setting alert

vrmandadi
Builder
‎04-13-2016 03:53 PM

Hello,

I am setting an alert based on the count i.e if the count is greater than 50 then we need to generate an alert.

I wrote the query and saved as alert

alert type=Real time
Trigger Condition=Custom
Custom Condition= search count>50
time: in 5 mins
and then selected the e-mail as triggered condition

in Throttle what should I give such that the alert when generated in 5 minutes should set the time back to zero before generating another alert

Tags (4)
0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎04-13-2016 04:22 PM

If your search is scheduled to run every five minutes (is it, actually?), then set the throttling to suppress the alert to something greater than five minutes.

0 Karma
Reply

vrmandadi
Builder
‎04-14-2016 10:05 AM

its not every 5 minutes,it will alert if the count is greater than 50 in a 5 mins window

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎04-14-2016 10:11 AM

So what is the schedule you have set for the search itself?

0 Karma
Reply

vrmandadi
Builder
‎04-14-2016 02:26 PM

all time for search,the alert is customized

search count>50

is the syntax correct for the alert or should it be in double quotes

0 Karma
Reply

frobinson_splun
Splunk Employee
Splunk Employee
‎04-14-2016 03:24 PM

Hi @vrmandadi,
I think it might be helpful to reconsider the alerting behavior you would like to have. When you say, "set the time back to zero" in your original question, it makes me think that you might want a scheduled alert that runs a search every five minutes to check for more than 50 events. If there are more than 50 results for that search, you get an email notification. Does that sound more like the outcome you are trying to set up? Let me know either way and I can suggest some resources.

As a start, this comparison chart might help.
http://docs.splunk.com/Documentation/Splunk/6.4.0/Alert/AlertTypesOverview

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...