Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Alert False Positives

adzg
Engager
‎01-24-2022 09:08 AM

I have an alert that runs every 10 minutes from 6am-3pm PST.  It checks to see if a file has arrived within the last few minutes (file arrives at 6:10, check for file at 6:12 with 4 minute timeframe). 

The problem is that every day, I get 1-3 false positive alerts.  I get an email saying that a file didn't arrive on time but when I go to perform the exact search with the hardcoded timeframe in question, the file did arrive on time. 

Anyone ever run into this problem? Is this an issue with the alert scheduler?  I tried moving the alert back to give the file time to process in the system (file arrives at 6:10, check for file at 6:15 with 8 minute timeframe) but to no avail.

Labels (3)
0 Karma
Reply

SinghK
Builder
‎01-24-2022 09:33 AM

set it up at 6: 15 and let it check for last 10 min

0 Karma
Reply

adzg
Engager
‎01-24-2022 09:37 AM

How would that be practically different than what I've already tried, which is 6:15 looking back 8 minutes?  The file always arrives at XX:10:05

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...