Solved: Why am I getting multiple email notices per minute...

usbamuchmore · ‎12-19-2018

I have inherited a medium install of Splunk, and for the most part, I understand everything. But, a simple account locked alert is sending multiple, multiple email notices per minute, and I don't understand why. I'll include a screenshot so anyone who sees something let me know. The purpose is to check for real-time account lockouts and notify only once.

Vijeta · ‎12-19-2018

Probably its because of real-time alert. You can schedule it to run every 1 min for the window of last 60 seconds i.e. 1 minute.

View solution in original post

usbamuchmore · ‎12-19-2018

Perfect guys thank you!

richgalloway · ‎12-19-2018

In addition to the great answer from @Vijeta, turn on throttling. This keeps Splunk from generating additional alerts for the same event(s) for a period of time. To do that, click on the "Throttle" box, complete the form, and click Save.

---
If this reply helps you, Karma would be appreciated.

usbamuchmore · ‎12-19-2018

The throttling did it, thank you, guys!

Vijeta · ‎12-19-2018

Probably its because of real-time alert. You can schedule it to run every 1 min for the window of last 60 seconds i.e. 1 minute.

usbamuchmore · ‎12-19-2018

Ok good. Thank you, clearly, I'm very new to Splunk in general.

Why am I getting multiple email notices per minute from Splunk?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!