Alerting

Mutilple alerts coming for each search results

SG
Path Finder

HI,

I have configured an alert to get the email when my query gives greater than 0 search results. I am able to see the alert but if search results are 3 I am getting 3 different emails as below.

SG_0-1627543908899.pngSG_1-1627543941121.pngSG_2-1627543967166.png

In the above screenshot, we can see that all 3 different emails are triggered at the same time.  want all these results to be in one email alert. Can someone please help me with how can we get all the search results of a single alert?

Also in my alert trigger conditions, I have something like 

SG_3-1627544128879.png

does that mean my Splunk alert expires after 24 hours? If it is so how can I change the settings to work the alert forever and if I need to stop the alert I will disable it.

 

Thanks in advance,

Swetha. G

Labels (1)
Tags (1)
0 Karma
1 Solution

SG
Path Finder

I updated the Triggered value from "For each result" to once. Now I am getting all the search results in one alert email.

SG_0-1627551030616.png

 

 

Thanks,

View solution in original post

0 Karma

SG
Path Finder

I updated the Triggered value from "For each result" to once. Now I am getting all the search results in one alert email.

SG_0-1627551030616.png

 

 

Thanks,

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The 24 hours refers to how long the triggered alert stays in the list of triggered alerts (see under Activity/Triggered Alerts)

The other setting which you haven't shown is Trigger

ITWhisperer_0-1627545654001.png

How is yours set?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...