Alerting

How to edit my alert to not get overlapping results?

Builder

Hi there,

I wanted to create an alert which keeps on running every hour and checks the data from starting of the day and till now and if the count is greater than a value, it should generate an alert and no alert for the rest of the day. I have used the following parameters. But it does not seem to be right because if we get an alert at 6pm today we don't get another alert until 6pm the next day. what if the count has exceeded the limit at some time less than 6pm the next day we would not get an alert because of the throttle. If we don't use throttle we get overlapping of the results.

Alert type :Scheduled
 Run on Cron Schedule
Earliest:  @d
Latest: now
Cron Expression:  */60 * * * *
**Trigger Conditions**

Trigger alert when  Number of Results is greater than 0
Trigger Once
For each result

Throttle?
Suppress triggering for

1

 day(s)

Please recommend a solution . Urgent. Thanks for the help

Tags (2)

Esteemed Legend

What you are really asking for is for relative modifiers (e.g. @d+24h) to be supported for Throttling time values.

0 Karma

Builder

yes . exactly . Is that possible ?

how can we set it up for the alert ?

Thanks

0 Karma

Esteemed Legend

File an feature/enhancement request JIRA ticket through your sales rep.

0 Karma

SplunkTrust
SplunkTrust

You could set your search so that it runs hourly, finds the time of the FIRST event of the day, and if that event is less than (for example) 65 minutes old, throws the alert.

Then, set the throttle to suppress the alert for 75 minutes (but it will never alert again until the next day.)

0 Karma