Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to send alert once if message doesn't change?

Julia1231
Communicator
‎11-22-2022 02:43 AM

Hi,

I am doing the sending alert if a machine has no activity in the span = 1h.

I configure to send it each hour. The thing is if the machine has no activity at 7:00, it will send the alert every hour (7h, 8h, 9h, etc) saying the same message that the machine has no activity at 7:00

Is anyway to send it once if the message is always the same (in this case, machine has no activity at 7:00).

If the machine is restarted, it has activities from 10:00 - 15:00, then it downs, I will receive an alert saying that machine has no activity at 15:00)

 

Thanks in advanced.

Labels (3)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-22-2022 02:47 AM

Hi @Julia1231,

did you tried to configure throttling for your alert?

You can do this in the alert definition page.

Ciao.

Giuseppe

0 Karma
Reply

Julia1231
Communicator
‎11-22-2022 03:03 AM

@gcusello This is my configuration:

Sorry it's in french but the function is same as in english. Do you find where I can do it please?

Julia1231_0-1669114910106.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-22-2022 03:07 AM

Hi @Julia1231,

you have to flag "Throttle" and define a time period that the alert will not be fired.

Only for the next time if you go in the address bar of your browser, replace "fr-FR" with "en-US", you'll have the dashboard in english, I'm italian and I usually have the same problem.

ciao.

Giuseppe

0 Karma
Reply

Julia1231
Communicator
‎11-22-2022 05:17 AM

@gcusello thank you. 

So what I understand, because the Throttle goes with the Suppress triggering for (time), I can only suppress for the period that I define here.

For example if I put the suppress triggering for 3 hours, I will always receive the same email each 3h? It can reduce the number of duplicate email sent but cannot avoid, is it true?
And even if my machine is restarted, it has activity again, there is always the alert sent for inform a fault in the pass. 

Thanks,

Julia

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-22-2022 11:48 PM

Hi @Julia1231,

my hint is to analyze throttle feature to use it at the best.

Otherwise a much more complicated workaround is to to write all your alerts in a summary index (as e.g. ES does) and then use this summary index to exclude the triggered alerts from results, but, as I said, it isn't so immediate to realize.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...