Re: How to edit my alert to not get overlapping re...

nawazns5038 · ‎02-16-2017

Hi there,

I wanted to create an alert which keeps on running every hour and checks the data from starting of the day and till now and if the count is greater than a value, it should generate an alert and no alert for the rest of the day. I have used the following parameters. But it does not seem to be right because if we get an alert at 6pm today we don't get another alert until 6pm the next day. what if the count has exceeded the limit at some time less than 6pm the next day we would not get an alert because of the throttle. If we don't use throttle we get overlapping of the results.

Alert type :Scheduled
 Run on Cron Schedule
Earliest:  @d
Latest: now
Cron Expression:  */60 * * * *
**Trigger Conditions**

Trigger alert when  Number of Results is greater than 0
Trigger Once
For each result

Throttle?
Suppress triggering for

1

 day(s)

Please recommend a solution . Urgent. Thanks for the help

woodcock · ‎02-19-2017

What you are really asking for is for relative modifiers (e.g. @d+24h) to be supported for Throttling time values.

nawazns5038 · ‎02-19-2017

yes . exactly . Is that possible ?

how can we set it up for the alert ?

Thanks

woodcock · ‎02-19-2017

File an feature/enhancement request JIRA ticket through your sales rep.

DalJeanis · ‎02-16-2017

You could set your search so that it runs hourly, finds the time of the FIRST event of the day, and if that event is less than (for example) 65 minutes old, throws the alert.

Then, set the throttle to suppress the alert for 75 minutes (but it will never alert again until the next day.)

How to edit my alert to not get overlapping results?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk