Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get one alert for all the same alerts?

cramery
New Member
‎03-19-2019 02:38 AM

I want to make an Alert, as soon as a Application gets startet (in this case Firefox). But for somehow, always 4 or more alerts get triggered. But the Alerts are exact the same to each other, theres not a single diffrent in the whole alert. How can I reach, that I only get one Alert for all of these same Alerts, that are also in the exact same time? (Also, when I just use it as a search, it perfectly works fine too)

My Search:

source="WinEventLog:Microsoft-Windows-Sysmon/Operational" (Image="C:\\Program Files\\Mozilla Firefox\\firefox.exe") | stats first(*) by ParentProcessId

My Alert conditions:

Real-Time
Number of Results: Equals 2 (It only works with 2, dont know why)
In 1 Minute
Triggers Once
Add to Triggered Alerts
Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎03-19-2019 06:43 AM

First of all, stop using realtime and your problem goes away; then search like this:

source="WinEventLog:Microsoft-Windows-Sysmon/Operational" (Image="C:\\Program Files\\Mozilla Firefox\\firefox.exe") | stats first(*) by ParentProcessId host
0 Karma
Reply

nickhills
Ultra Champion
‎03-19-2019 06:40 AM

This is the problem with Real-Time alerts.

Consider this:
you have a search which generates a result (like yours)
It is looking for events which have occurred in the last 60 seconds.

Your event fires at 05 seconds past the minute - the RT search runs, it fulfils the search criteria, so it generates an alert, and 'Triggers Once' - an email is sent etc, the 'Job' completes

It is now 15 seconds past the minute - your RT search runs again, the result set STILL fulfils the criteria, so it triggers 'Once' again..

etc, etc

Better is to schedule your searches to run every minute looking back at the previous 60 seconds. (if you really must) but this kind of search does not work well with RT alerts, You 'could' use throttling to stop the same alert firing more than once, but you run the risk that two similar (but different) events could trigger resulting in throttling a message you care about.

The 'look back' method is better to make sure you don't get multiple alerts firing for a single event, and that each event gets alerted.

An even better approach is to widen the search window further, and look for events earliest=-2m, latest=-1m - This helps protect against messages which have been delayed by a few seconds and might otherwise be missed.

Better again is to run it over a longer time, like every 15 mins search -16min to -1m, but the immediacy is impacted

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...