Alerting

Why does this alert keep firing?

JoshuaJohn
Contributor

I have this alert

[nitro_F308-failed-to-launch]
action.email.inline = 1
action.summary_index = 1
action.summary_index._name = nitro_splunk_summary
alert.digest_mode = True
alert.expires = 10s
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 1 8 * * *
description = F308 Failed to Launch before 8:00 AM
enableSched = 1
realtime_schedule = 0
search = index=nitro_ecomm sourcetype=nitro_log "[name=F308]] launched" earliest=@d latest =@d+8h | stats count as JobCount | where JobCount < 1 |eval Weight="50" | eval Metric="Health" | eval _time=now()|eval Metric_Category="Application"| eval Metric_Type="Error" | eval Application="Batch" | eval Key="Host" | eval Frequency="24 hour" | eval ID="NA" | eval Description="F308 did not launch before 8:00 AM" | eval Value=JobCount | eval Alert_Type="Critical" | eval Service-Now_Assignment_Group="EC-IScore"| eval Alert="Yes" | eval Violation=1 | eval Search_name="nitro_F308-failed-to-launch" | table _time Metric_Category Metric Metric_Type Application Key ID Description Frequency Value Alert_Type Alert Service-Now_Assignment_Group Weight Violation Search_name
disabled = 0

This alert continues to fire even though it did launch before 8am everyday, any specific reasoning did I write this incorrectly?

0 Karma
1 Solution

lguinn2
Legend

First - it looks like this is a populating search for a summary index. Why?
Second - it looks like there are no trigger conditions set for the search. So the alert always triggers. ("Always" is the default.)
Third - depending on where the data originates, you might want to run the search slightly later. You are assuming that the event will be detected, transmitted to the Splunk indexer, parsed and written to disk by the actual time 8:01, which may not be true in many environments.

I would have set the trigger condition to "Number of events = 0" in the GUI. In the savedsearches.conf file, I think this would be

counttype=number of events
relation = equal to
quantity = 0

Also, you can remove "| stats count as JobCount | where JobCount < 1 " from your search. Depending on the content of the actual event, this might let you remove some of the eval statements as well.

View solution in original post

0 Karma

lguinn2
Legend

First - it looks like this is a populating search for a summary index. Why?
Second - it looks like there are no trigger conditions set for the search. So the alert always triggers. ("Always" is the default.)
Third - depending on where the data originates, you might want to run the search slightly later. You are assuming that the event will be detected, transmitted to the Splunk indexer, parsed and written to disk by the actual time 8:01, which may not be true in many environments.

I would have set the trigger condition to "Number of events = 0" in the GUI. In the savedsearches.conf file, I think this would be

counttype=number of events
relation = equal to
quantity = 0

Also, you can remove "| stats count as JobCount | where JobCount < 1 " from your search. Depending on the content of the actual event, this might let you remove some of the eval statements as well.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...