Alerting
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the difference between "Once" and "For each result" in notable OR alert trigger conditions?

edoardo_vicendo
Builder
‎10-04-2022 08:08 AM

I know this has been already asked in the past, but it still not completely clear to me:

https://community.splunk.com/t5/Alerting/Can-someone-explain-when-I-would-use-quot-Once-quot-versus-...

https://docs.splunk.com/Documentation/Splunk/latest/Alert/AlertTriggerConditions

For testing purpose to understand the topic, I have set-up the following Correlation Search that triggers a Notable Event in Splunk Enterprise Security. The same can be done also as an Alert in Splunk Enterprise:

 

 

| makeresults count=3 
| streamstats count | eval value=case(count=1,"test01",count=2,"test02",count=3,"test03") | eval alert=case(count=1,"KO",count=2,"OK",count=3,"KO")
| search alert="KO"
|`get_event_id`|eval orig_index=index|eval orig_indexer_guid=indexer_guid|eval orig_event_hash=event_hash|eval orig_cd=_cd|eval orig_raw=_raw

 

 

The above search run every 5 minutes and generates 2 events.  I tried to change between "Once" and "For each result" but nothing change, they are always generated 2 Notable events.

edoardo_vicendo_0-1664895529808.png

I was expecting:

  • "Once": generate only 1 Notable event
  • "For each result": generate 2 Notable events

 

So the question is which is the difference between "Once" and "For each result" and why there is no effect changing it in my test?

Thanks a lot,

Edoardo

Labels (2)
Labels
0 Karma
Reply

timpedlar
Explorer
‎09-07-2023 12:08 PM

timpedlar_0-1694113639499.png

***Notable response actions and risk response actions are always triggered for each result.

0 Karma
Reply

evinasco08
Explorer
‎01-24-2023 07:45 AM

IF you search generate 2 results, in the "once" options , yo will receive one alert with 2 results, but if is "For each result", you will receive 2 alerts, one for each result

 

 

0 Karma
Reply

jdunlea
Contributor
‎10-04-2022 01:23 PM

The behavior that you are expecting is indeed supposed to be what happens. I have tested your search with a basic alert (not an ES correlation search) and with "once" it only triggers the log_event alert action when the alert runs. When switched to "for each result" it triggers it twice, for both results. 

 

Are you sure that you do not have two versions of the same alert running?

 

Also, have you tried scheduling a normal alert (not a correlation search alert) and changing the alert_action to "Log Event" and see if the behavior is different? It could possibly be a bug with the notable event alert action. 

 

Lastly, is this from within ES?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top