Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is there an All Time (real-time) Alert Trigger in Splunk Enterprise 7.1.0?

pweijian
Explorer
‎04-30-2018 03:07 AM

I have been using Splunk Enterprise 7.0.3 to do real-time search alert trigger without any issues previously. Recently, I attempt to upgrade Splunk Enterprise to 7.1.0 and found some weird problem with the alert trigger.

This is the setup I have:
1. Using amqp-ta plugin to consume messages from RabbitMQ into IndexA.
2. An alert trigger running on All Time (real-time) search on IndexA to find newly indexed events.
3. The alert is trigger per result.
4. Each alert has 2 actions: Custom Action to write a result to another RabbitMQ Exchange and also log the event to another index.

Problem:
Whenever a new event is being added to IndexA, it will trigger repeatedly trigger the alert action. All the alert action search result is showing the same event that was added. This trigger will continue infinitely until I disable the Alert.

I'm not sure if there are any changes to the architecture of Real-time search alert trigger from 7.0.3 to 7.1.0. Any help would be greatly appreciated!

Reply
1 Solution
Solved! Jump to solution
Solution

pweijian
Explorer
‎05-03-2018 03:24 AM

Hi agamemnon23, I have met up with Splunk support team in live troubleshooting session and the conclusion is that the complex search query is causing the issue we are facing. And this is only happening on Splunk 7.1.0.

To illustrate more...for search query, (index="test_index"), this will only trigger one alert per result. But for search query, (index="test_index" | table _raw), the repeating alert trigger problem will reappear.

I will keep you posted if I got further updates from Splunk regarding this issue.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎04-30-2018 05:24 AM

I've no ready solution, but did you try changing it to scheduled (every minute) search and see if it still happens?

0 Karma
Reply
Solved! Jump to solution

pweijian
Explorer
‎04-30-2018 08:26 PM

Hi xpac, thanks for your suggestion. I did tried that and scheduled search is working fine. But my use-case would need to real-time search as I need alerts to be send out immediately when an event is detected.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...