Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Too many emails & data

hxa27
Path Finder
‎03-07-2014 12:10 PM

Hi,
I actually, I have two questions on the same query search.

1- I was able to monitor the folder I want instead of the log files, but my problem is when I run the search again; I still see the files I deleted earlier plus the new files I added. I don't know why they still show???!!!!!!

2- On the same search, I sat up a real time alert to send me an email if the condition has met, which is what I get. That's great but the problem is I receive 19 to 20 emails for the same file because the real time alert runs every minute and it gives me all the files which met the condition even if it the same files. Is there a way to make splunk to send only one email for the new file ?? Any suggestion will be helpful

Thanks in advance

0 Karma
Reply

emiller42
Motivator
‎03-07-2014 01:16 PM

1) Once something is indexed in Splunk, it's in Splunk. Changing the monitor settings doesn't delete the data from your index. Deleting the old files doesn't delete the data from your index. You can selectively delete data from Splunk, but that only removes it from search results, not from the index itself. (So it doesn't free disk space or anything) Generally this isn't recommended. You can find out more about the delete command here

2) You probably don't want a real-time alert here. It would be much better to set up an alert with a short interval that only searches within that interval. So set up your search to look at the past 5 minutes, and then run every 5 minutes. It'll only trigger on new events, as you don't look at the same span of data twice. It also won't monopolize a CPU to keep a realtime search running.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...