Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to configure Splunk Alerts to only send one E-mail notification?

johann2017
Explorer
‎03-28-2018 02:35 PM

My Splunk alerts are configured to send an e-mail when triggered. How do I make sure that Splunk only sends one e-mail? It seems to be sending two e-mails every time. I think it may have to do with the timing I have configured. My alert settings are as follows:

Settings
Alert Time: Scheduled
Run on Cron Schedule
Time Range: Last 15 Minutes
Cron Expression: star/10 star star star star --> (I had to write the word star in place of * because they were getting removed because of the formatting rules on here) The cron expression translates to At every 10th minute

Trigger Conditions
Trigger Alert When: Number of Results is greater than 0
Trigger: Once
Throttle: (not checked)

Reply
1 Solution
Solved! Jump to solution
Solution

nplamondon
Communicator
‎04-02-2018 10:57 AM

You have a couple problems here.

As noted in your comment, the cron expression isn't valid. Try */10 * * * * (minute hour date month weekday).

You're probably getting double notifications because your polling time and window don't match. For example, you get an event at 08:09 and poll at 08:10 with a 15min window (07:55-08:10); you'll see the one event and the alert will trigger. You poll again at 08:20 with a 15min window (08:05-08:20); you'll see that same event and trigger the alert again. Either change your range to 10min or change your cron to */15 * * * *.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nplamondon
Communicator
‎04-02-2018 10:57 AM

You have a couple problems here.

As noted in your comment, the cron expression isn't valid. Try */10 * * * * (minute hour date month weekday).

You're probably getting double notifications because your polling time and window don't match. For example, you get an event at 08:09 and poll at 08:10 with a 15min window (07:55-08:10); you'll see the one event and the alert will trigger. You poll again at 08:20 with a 15min window (08:05-08:20); you'll see that same event and trigger the alert again. Either change your range to 10min or change your cron to */15 * * * *.

0 Karma
Reply
Solved! Jump to solution

johann2017
Explorer
‎04-02-2018 11:00 AM

Ok cool let me test that out and will post again after. Thanks.

0 Karma
Reply
Solved! Jump to solution

johann2017
Explorer
‎04-05-2018 02:03 PM

This worked thank you!

0 Karma
Reply
Solved! Jump to solution

rakshithreddy
Explorer
‎03-28-2018 04:45 PM

Hi @johann2017

The cron expression given above is wrong, can you check it

0 Karma
Reply
Solved! Jump to solution

johann2017
Explorer
‎04-02-2018 10:56 AM

Hello Rak. The Cron Expression is: star/10 star star star star --> (I had to write the word star in place of * because they were getting removed because of the formatting rules on here) The Cron expression translates to At every 10th minute.

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...