Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Why does this alert keep firing?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have this alert
[nitro_F308-failed-to-launch]
action.email.inline = 1
action.summary_index = 1
action.summary_index._name = nitro_splunk_summary
alert.digest_mode = True
alert.expires = 10s
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 1 8 * * *
description = F308 Failed to Launch before 8:00 AM
enableSched = 1
realtime_schedule = 0
search = index=nitro_ecomm sourcetype=nitro_log "[name=F308]] launched" earliest=@d latest =@d+8h | stats count as JobCount | where JobCount < 1 |eval Weight="50" | eval Metric="Health" | eval _time=now()|eval Metric_Category="Application"| eval Metric_Type="Error" | eval Application="Batch" | eval Key="Host" | eval Frequency="24 hour" | eval ID="NA" | eval Description="F308 did not launch before 8:00 AM" | eval Value=JobCount | eval Alert_Type="Critical" | eval Service-Now_Assignment_Group="EC-IScore"| eval Alert="Yes" | eval Violation=1 | eval Search_name="nitro_F308-failed-to-launch" | table _time Metric_Category Metric Metric_Type Application Key ID Description Frequency Value Alert_Type Alert Service-Now_Assignment_Group Weight Violation Search_name
disabled = 0
This alert continues to fire even though it did launch before 8am everyday, any specific reasoning did I write this incorrectly?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First - it looks like this is a populating search for a summary index. Why?
Second - it looks like there are no trigger conditions set for the search. So the alert always triggers. ("Always" is the default.)
Third - depending on where the data originates, you might want to run the search slightly later. You are assuming that the event will be detected, transmitted to the Splunk indexer, parsed and written to disk by the actual time 8:01, which may not be true in many environments.
I would have set the trigger condition to "Number of events = 0" in the GUI. In the savedsearches.conf file, I think this would be
counttype=number of events
relation = equal to
quantity = 0
Also, you can remove "| stats count as JobCount | where JobCount < 1 " from your search. Depending on the content of the actual event, this might let you remove some of the eval statements as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First - it looks like this is a populating search for a summary index. Why?
Second - it looks like there are no trigger conditions set for the search. So the alert always triggers. ("Always" is the default.)
Third - depending on where the data originates, you might want to run the search slightly later. You are assuming that the event will be detected, transmitted to the Splunk indexer, parsed and written to disk by the actual time 8:01, which may not be true in many environments.
I would have set the trigger condition to "Number of events = 0" in the GUI. In the savedsearches.conf file, I think this would be
counttype=number of events
relation = equal to
quantity = 0
Also, you can remove "| stats count as JobCount | where JobCount < 1 " from your search. Depending on the content of the actual event, this might let you remove some of the eval statements as well.
Accelerating Observability as Code with the Splunk AI Assistant
Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...
Congratulations to the 2025-2026 SplunkTrust!
