Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I not getting an alert for each matching event, even after selecting "For Each" on alert actions page?

SomnathShilimka
Explorer
‎09-25-2014 05:23 AM

Hi All,

I am using Splunk 6 and below is the issue i am facing.

i have setup an alert (scheduled alert) for 5 minutes time. As per my search string during that 5 minutes i can see around 16 events are generating. while creating an alert i have selected Per Result as execution action. means for 16 events 16 alerts must get generated.

but when i check after sometime(5-6 minutes), i can see only one alert representing 16 events. ideally there should be 16 alerts generated. but in my case this is not working. i tried it on Splunk 5 too but same issue.

Please explain why this is happening ?

Thanks & Regards,
Somnath

Tags (1)
0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎09-25-2014 05:30 AM

I'm willing to bet the problem is that you aren't generating results. Merely returning 16 "events" will not translate into "results". Raw events count as 1 result. If you add some table or stats, you should get what you are looking for. Try adding something like this:

<your_search> | table _time _raw

This should give you a table with _time and _raw in it, probably 16 results. You will probably want to change that, but it should prove to alert 16 times..

0 Karma
Reply

SomnathShilimka
Explorer
‎09-25-2014 07:35 AM

Hi,

Thanks for the reply. i am new to Splunk therefore not very much skilled in it,

I have added above command suggested by you but it did not help.

i am trying below search.
sourcetype=access_combined* status=404

over 5 minutes it gives me around 15-20 matching events, therefore i decided to create an alert(scheduled alert) which will generate 15-20 alerts (one alert for each). but somehow it shows me only one alert after 5 minutes.

Please help me in it. how can i achieve getting same number of alerts as number of events matched ?

Regards,
Somnath

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎09-25-2014 07:38 AM 
sourcetype=access_combined status=404 | stats count by status host

Try that, you add in the items at the end to generate the results.

0 Karma
Reply

SomnathShilimka
Explorer
‎09-25-2014 08:30 AM

Hi,

above search gave me 3 results (as we have used stats command) and around 39 matching events.

per my understanding this time it should have generated 3 alerts (as number of results is 3), but still it is showing me only one alert in alert manager.

I saw splunk education video for alerting in which they have said if you want alert for each result then select For Each in actions. but unfortunately this is not happening.

Thanks & Regards,
Somnath

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...