I am using Splunk 6 and below is the issue i am facing.
i have setup an alert (scheduled alert) for 5 minutes time. As per my search string during that 5 minutes i can see around 16 events are generating. while creating an alert i have selected Per Result as execution action. means for 16 events 16 alerts must get generated.
but when i check after sometime(5-6 minutes), i can see only one alert representing 16 events. ideally there should be 16 alerts generated. but in my case this is not working. i tried it on Splunk 5 too but same issue.
Please explain why this is happening ?
Thanks & Regards,
I'm willing to bet the problem is that you aren't generating results. Merely returning 16 "events" will not translate into "results". Raw events count as 1 result. If you add some table or stats, you should get what you are looking for. Try adding something like this:
<your_search> | table _time _raw
This should give you a table with _time and _raw in it, probably 16 results. You will probably want to change that, but it should prove to alert 16 times..
Thanks for the reply. i am new to Splunk therefore not very much skilled in it,
I have added above command suggested by you but it did not help.
i am trying below search.
over 5 minutes it gives me around 15-20 matching events, therefore i decided to create an alert(scheduled alert) which will generate 15-20 alerts (one alert for each). but somehow it shows me only one alert after 5 minutes.
Please help me in it. how can i achieve getting same number of alerts as number of events matched ?
above search gave me 3 results (as we have used stats command) and around 39 matching events.
per my understanding this time it should have generated 3 alerts (as number of results is 3), but still it is showing me only one alert in alert manager.
I saw splunk education video for alerting in which they have said if you want alert for each result then select For Each in actions. but unfortunately this is not happening.
Thanks & Regards,