Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the difference between "Once" and "For each result" in notable OR alert trigger conditions?

edoardo_vicendo
Contributor
‎10-04-2022 08:08 AM

I know this has been already asked in the past, but it still not completely clear to me:

https://community.splunk.com/t5/Alerting/Can-someone-explain-when-I-would-use-quot-Once-quot-versus-...

https://docs.splunk.com/Documentation/Splunk/latest/Alert/AlertTriggerConditions

For testing purpose to understand the topic, I have set-up the following Correlation Search that triggers a Notable Event in Splunk Enterprise Security. The same can be done also as an Alert in Splunk Enterprise:

 

 

| makeresults count=3 
| streamstats count | eval value=case(count=1,"test01",count=2,"test02",count=3,"test03") | eval alert=case(count=1,"KO",count=2,"OK",count=3,"KO")
| search alert="KO"
|`get_event_id`|eval orig_index=index|eval orig_indexer_guid=indexer_guid|eval orig_event_hash=event_hash|eval orig_cd=_cd|eval orig_raw=_raw

 

 

The above search run every 5 minutes and generates 2 events.  I tried to change between "Once" and "For each result" but nothing change, they are always generated 2 Notable events.

edoardo_vicendo_0-1664895529808.png

I was expecting:

  • "Once": generate only 1 Notable event
  • "For each result": generate 2 Notable events

 

So the question is which is the difference between "Once" and "For each result" and why there is no effect changing it in my test?

Thanks a lot,

Edoardo

Labels (2)
Labels
0 Karma
Reply

timpedlar
Explorer
‎09-07-2023 12:08 PM

timpedlar_0-1694113639499.png

***Notable response actions and risk response actions are always triggered for each result.

0 Karma
Reply

evinasco08
Explorer
‎01-24-2023 07:45 AM

IF you search generate 2 results, in the "once" options , yo will receive one alert with 2 results, but if is "For each result", you will receive 2 alerts, one for each result

 

 

0 Karma
Reply

jdunlea
Contributor
‎10-04-2022 01:23 PM

The behavior that you are expecting is indeed supposed to be what happens. I have tested your search with a basic alert (not an ES correlation search) and with "once" it only triggers the log_event alert action when the alert runs. When switched to "for each result" it triggers it twice, for both results. 

 

Are you sure that you do not have two versions of the same alert running?

 

Also, have you tried scheduling a normal alert (not a correlation search alert) and changing the alert_action to "Log Event" and see if the behavior is different? It could possibly be a bug with the notable event alert action. 

 

Lastly, is this from within ES?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...