Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create alert for each new events

Naa_Win
Path Finder
‎04-26-2024 02:13 PM

Hello Team,

I have a error data coming to index (we filtered to send only error logs to this index ), I wanted to create an alert when ever there is any new events coming to that index and don't want to send the duplicate alert. 

index=error_idx sourcetype=error_srctyp
Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎04-28-2024 01:10 PM

There is always a chance of missing the event in some circumstances. For example if there is a huge lag due to some network outage or something similar and you get your events indexed with several hours delay you won't find them when you're searching for recent events.

But you can minimise the risk. The typical approach is to search every - let's say 15 minutes - over a "slightly delayed" window. For example - you search from 16 minutes ago to 1 minute ago. Or 17-2, depending on your typical ingestion latency.

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-26-2024 02:38 PM

Hi @Naa_Win ,

you have to define the frequency of your alert and run a simple search scheduled on the above frequency, if e.g. you want to run your alert every 5 minutes, you should run a search like the following:

index=error_idx sourcetype=error_srctyp earliest=-5m@m latest=@m

if you have events the alert triggers.

choosing a defined period you are sure that the alert triggers only one time on events.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎04-26-2024 02:36 PM

It seems a bit like an overkill to use Splunk for this if all you send are errors. 😉

But anyway, you should just search for events with continuous scheduling and you're set (just take into account possible delay in indexing).

0 Karma
Reply
Solved! Jump to solution

Naa_Win
Path Finder
‎04-28-2024 10:42 AM

@gcusello   @PickleRick Thank you for the reply.

We are sending data from application console to splunk through syslog and they define to send only error logs from their console.

So If I schedule to run at 15 mins frequency and 15 time range. Will there be any chance of missing events to be triggered. Our intention to get alert when ever there is new event and shouldn't repeat the same event in the alert. 

 

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2024 09:50 PM

Hi @Naa_Win ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎04-28-2024 01:10 PM

There is always a chance of missing the event in some circumstances. For example if there is a huge lag due to some network outage or something similar and you get your events indexed with several hours delay you won't find them when you're searching for recent events.

But you can minimise the risk. The typical approach is to search every - let's say 15 minutes - over a "slightly delayed" window. For example - you search from 16 minutes ago to 1 minute ago. Or 17-2, depending on your typical ingestion latency.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...