Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to set alert and mail appears only once

davidde
New Member
‎06-04-2015 10:32 PM

Hello,

I'm calculating percentage of x events per month and I also put them into alert mode and set mail notifications - so that works now. The problem is I would like to configure it so that mail appears only when percentage of x events reaches 99,99% per month and never appears again - next time when I will receive mail in would be for a next month and so on... Is it possible to configure? Because I'm getting mails every day now, because the event matches every day...

Thank you in advance and have a nice day,

David

Tags (2)
0 Karma
Reply

acharlieh
Influencer
‎06-05-2015 01:03 AM

It sounds to me that you might be looking for Alert Throttling ?

0 Karma
Reply

davidde
New Member
‎06-05-2015 01:12 AM

I will try that too, thank you! 🙂

0 Karma
Reply

MichaelPriest
Communicator
‎06-05-2015 12:55 AM

Have you got the details for your alert i.e your search string?

If you want it to run once every month you could try a scheduled alert.

0 Karma
Reply

davidde
New Member
‎06-05-2015 01:11 AM

index="january" OR index="february" OR index="march" OR index="april"| eval Month=strftime(Month,"%Y-%m-%d") | where Percentage >= "0.9999"| eval Percentage=Percentage*100| eval Percentage= substr(Percentage, 1, len(Percentage)-2)| eval Percentage1= replace(Percentage,".",",")| eval "Percentage"=Percentage."%"|eval Percentage= replace(Percentage,".",",")| table Month Percentage| dedup Month

For now result is Month=2015-01-01 and Percentage=99,99%..... Ok, so i got that mail and don't want to receive it till 99,99% appears in February... Actually 99,99% in month can appear few months from now or can appear tomorrow...

0 Karma
Reply

stephanefotso
Motivator
‎06-05-2015 12:43 AM

Hello, i read your comment above and i think that this may help:

Search query: 

index="january" OR index="february" OR index="march" OR index="april"| eval Month=strftime(Month,"%Y-%m-%d") | where Percentage >= "0.9999"| eval Percentage=Percentage*100| eval Percentage= substr(Percentage, 1, len(Percentage)-2)| eval Percentage1= replace(Percentage,".",",")| eval "Percentage"=Percentage."%"|eval Percentage= replace(Percentage,".",",")| table Month Percentage| dedup Month

Save it as an Alert.

Title: your alert Title
Alert Type: Real Time
Trigger Condition: Number of Results
Trigger if Number of Results is **: Greater than 0
**in : 30 days
click on next
....

Thanks

SGF
0 Karma
Reply

laserval
Communicator
‎06-05-2015 02:22 AM

I'd avoid Real Time alerts for this, since each such alert is a real-time search that uses up a lot of CPU.

Run it as Scheduled, every minute, instead. That's near-real-time enough for most email alerts.

0 Karma
Reply

stephanefotso
Motivator
‎06-05-2015 02:41 AM

That is true,

Title: your alert Title
Alert Type: Scheduled
Timerange: Run Every month
Schedule on day: choose the day
Trigger Condition: Number of Results
Trigger if Number of Results is : Greater than 0
...

SGF
0 Karma
Reply

MichaelPriest
Communicator
‎06-05-2015 01:23 AM

Then add in throttling for 30 days.

But the only problem with this is not every month has 30 days

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...