Restarting Splunk triggers all my alerts (and floo...

nickhills · ‎04-01-2012

I have a number of scheduled alerts which have thresholds configured to send me alerts if we see either too many or too few events in a given timeframe. But a restart of my seachhead triggers each of these events to fire (despite, it would seem the threshold not being crossed).

Is there anyway to prevent these alerts firing when restarting spunk, i.e. delay an alert triggering immediatly following startup.

I can't be the only person to find this irritating 🙂

If my comment helps, please give it a thumbs up!

nickhills · ‎02-27-2013

Charles,

Did you ever get a response from your support case? This still plagues us.

If my comment helps, please give it a thumbs up!

andyfry_nec · ‎11-14-2012

me too.

Did anyone open a support case?

sf_user_199 · ‎01-09-2013

I have a similar problem - we have real time alerts that trip when there is a lack of certain items present. If there is a brief interruption in communication from the search head to indexers, the alert trips.

charles_colvin · ‎11-15-2012

Yes, I opened a case. Actually my issue is that when I edit or disable a realtime search, the search triggers. I suspect the two issues are related. I'll post whatever solution I get from support.

charles_colvin · ‎10-19-2012

I have also experienced this issue. I guess it's time to open a support case...

nickhills · ‎10-16-2012

This is still very much a problem in our estate.

Can anyone else confirm that they see the same behaviour?

If my comment helps, please give it a thumbs up!

Restarting Splunk triggers all my alerts (and floods my inbox)

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?