Solved: Why does my real-time alert continue to send email...

di2esysadmin · ‎06-01-2016

I have a simple search:

host=*prod*  "Too many open files"  source!="/opt/atlassian/jira-data/log/emh.log*"

I've set up a simple alert. Real-time, throttling on host for 1 minute. (pic attached)

We had 200+ of these errors, all within 2 seconds of each other, from a single host 2 hours ago. Since then, we've received no less than 24 emails alerting us of those events. I want one email, not 24.

What have I misconfigured?

Thanks!

linu1988 · ‎06-02-2016

Hi,
Please try to set the below setting with your preferred field. Always try to table to data you require. Moreover the throttling period is only 1 minute, so if you have events matching it will generate the alert. If you want hourly then throttle it to send 1 hour per host in the suppress triggering option.

Thanks,
L

View solution in original post

linu1988 · ‎06-02-2016

Hi,
Please try to set the below setting with your preferred field. Always try to table to data you require. Moreover the throttling period is only 1 minute, so if you have events matching it will generate the alert. If you want hourly then throttle it to send 1 hour per host in the suppress triggering option.

Thanks,
L

di2esysadmin · ‎06-22-2016

Thank you. I've made these changes. I've my fingers crossed this will do the trick.

Why does my real-time alert continue to send emails for events that happened hours ago?

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

There's No Place Like Chrome and the Splunk Platform

Customer Experience | Join the Customer Advisory Board!