Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I use splunk scheduled alert like real time alert?

Aj01
Path Finder
‎01-11-2023 02:58 AM

I need to create a alert for service for but real time alert are disabled by admin, now i need to create a alert that if my service got bad service alert more then 5 it will send me mail immediately, i created alert but alert is sending email at the end of time range cycle like in cron expression i set

Time range:- "last 30 minutes" 

Cron expression :- */30 * * * *

expires in 24 hours

it is running and giving email also but not on alert time but at the end of cycle after 30 min, is there any way to make it trigger alert on same time as alert coming.

Please help me...

Labels (4)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-11-2023 03:09 AM

Hi @Aj01,

real time alerts consume too many resources so they are usually disabled.

But you can set a scheduled alert to run every 5 minutes or every 1 minute, so you have a near real time alert.

Ciao.

Giuseppe

 

Reply

Aj01
Path Finder
‎01-11-2023 04:02 AM

i want alert to work like if there is more then 5 alert we should receive one email at the time of 5th alert but its coming at end of cycle end and if i set it to run for every 5 min or 1 min and alerts come like 2 alerts in first 5 min cycle and 3 after 5 min it will not trigger the alert right.

 

Thats why i set it for 30 min but the email is coming at end of 30 min cycle.

 

Any solution....for that

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-11-2023 04:26 AM

Hi @Aj01,

you could run an alert that exceed the scheduling time (e.g. run the alert every 5 minutes using a timeframe of 10).

Than configure the throttle for e.g. 5 minutes.

In this way you can check the threshold in a larger time period than the scheduling window, but your alert is triggered only one time.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...