Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why do I keep getting 2 email notifications for 1 Splunk alert?

mawomommoh
Path Finder
‎06-01-2018 11:43 PM

I have configured my Splunk alert as shown below. When my alert condition is triggered, I get 2 email notifications sent instead of just one. Any idea why this is? I have configured my search to run every minute using a cron expression, and to check for my criteria in the last 1 minute, and to trigger once for the search criteria so I don't know why I get multiple emails for the same alert. I would like to get only one email notification sent when Number of Sources > 0.

Any help would be appreciate. Thanks

alt text

Search criteria:
alt text

Preview file
93 KB
Preview file
5 KB
0 Karma
Reply

somesoni2
Revered Legend
‎06-02-2018 10:34 AM

With Last 1 min time range, your time range can potentially be spread over two mins (it's basically -1m@m [end of previous min] to now() [current time]), so based on what time the search is running, your alert condition could be met for two consecutive alert search. Also, running every minute could be an overkill (unless this is super urgent). So here is what I would suggest

1) Change the alert frequency to say every 5 mins. It's fast enough.
2) Optionally, Instead of starting the cron at 0th min, start at some different minute. So, */5 * * * * will run the search every 5 min, starting with minute 0, then 5, then 10.. and so on. So many basic searches follows this and thus causes congestion during that minute. So lets start at say 2rd min. i.e. 2-59/5 * * * *. We'll adjust the time range as well accordingly.
3) Allow some time for data to be ingested and become searchable (there is few moment of delay between data being monitored, parsed, indexed and made searchable. So allowing a delay in the time range would ensure you're searching all data. With cron of 2-59/5 * * * *, you can use time range with earliest/Start time as -7m@m and latest/Finish time as -2m@m. This way your search is searching for data worth 5 min, but going back 2 mins, allowing 2 min delay for indexing process to be completed.

Reply

mawomommoh
Path Finder
‎06-02-2018 07:57 PM

I tried using the cron of 2-59/5 * * * * and -7m@m(earliest) -2m@m(latest) for the time range as you said but I still get 2 emails sent (1 email when I forward the file and then another email 5 minutes later).

0 Karma
Reply

renjith_nair
Legend
‎06-02-2018 01:37 AM

how's your email address configured? is it a distribution list?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

mawomommoh
Path Finder
‎06-02-2018 07:45 PM

It's a personal email. When I use a distributed list it works fine (only 1 email is sent), but 2 emails are sent when I use my personal email.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...