Alerting

Why am I not getting an alert for each matching event, even after selecting "For Each" on alert actions page?

Hi All,

I am using Splunk 6 and below is the issue i am facing.

i have setup an alert (scheduled alert) for 5 minutes time. As per my search string during that 5 minutes i can see around 16 events are generating. while creating an alert i have selected Per Result as execution action. means for 16 events 16 alerts must get generated.

but when i check after sometime(5-6 minutes), i can see only one alert representing 16 events. ideally there should be 16 alerts generated. but in my case this is not working. i tried it on Splunk 5 too but same issue.

Please explain why this is happening ?

Thanks & Regards,
Somnath

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

I'm willing to bet the problem is that you aren't generating results. Merely returning 16 "events" will not translate into "results". Raw events count as 1 result. If you add some table or stats, you should get what you are looking for. Try adding something like this:

<your_search> | table _time _raw

This should give you a table with _time and _raw in it, probably 16 results. You will probably want to change that, but it should prove to alert 16 times..

0 Karma

Hi,

Thanks for the reply. i am new to Splunk therefore not very much skilled in it,

I have added above command suggested by you but it did not help.

i am trying below search.
sourcetype=access_combined* status=404

over 5 minutes it gives me around 15-20 matching events, therefore i decided to create an alert(scheduled alert) which will generate 15-20 alerts (one alert for each). but somehow it shows me only one alert after 5 minutes.

Please help me in it. how can i achieve getting same number of alerts as number of events matched ?

Regards,
Somnath

0 Karma

SplunkTrust
SplunkTrust
sourcetype=access_combined status=404 | stats count by status host

Try that, you add in the items at the end to generate the results.

0 Karma

Hi,

above search gave me 3 results (as we have used stats command) and around 39 matching events.

per my understanding this time it should have generated 3 alerts (as number of results is 3), but still it is showing me only one alert in alert manager.

I saw splunk education video for alerting in which they have said if you want alert for each result then select For Each in actions. but unfortunately this is not happening.

Thanks & Regards,
Somnath

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!