Hi pweijian, thanks for posting this update - I really appreciate it!

I have just tried a similar search to the one you suggested, and I am getting the same results as you:

source="/path/to/my/syslog/files/*"
sourcetype="syslog"
| search "my_search_string"

This sends one alert ^^^

source="/path/to/my/syslog/files/*"
sourcetype="syslog"
| search "my_search_string"
| table my_field1, my_field2, my_field3

This sends multiple continuous alerts ^^^

My searches really are not that complex, so I am surprised at the difference.
I will also raise a support ticket with Splunk.

Thanks again, and likewise - I will let you know if I find out anything more.

Hi agamemnon23, I have some updates from Splunk support. He is suspecting that this is a potential bug and he has filed an internal ticket for Splunk engineering team to look into this issue. Will keep you posted if there is more update from them.

Thanks for the update peijian!

We are still experiencing the issue, but we've reconfigured most of our alerts to use simpler queries in the meantime. I haven't raised a support ticket as yet unfortunately due to other work.

I'll keep you posted when I do/when I find out any more.

Hi agamemnon23, Splunk support has confirmed this issue as a bug and have added this issues into the known issue for Version 7.1.0. There is no workaround for this issue in Version 7.1.0. and they will fix this problem in Release 7.1.2. You can refer to bug number SPL-154136 in http://docs.splunk.com/Documentation/Splunk/7.1.0/ReleaseNotes/KnownIssues

Hi pweijian,

Good news - Splunk 7.1.2 has been released and they have appeared to fix the problem!
SPL-154136 is mentioned as "fixed" in the release notes.

I've upgraded to 7.1.2 and tested most of my alerts, and they all seem to be working correctly now.

Thanks again for your help!

Thanks pweijian!

We still have most of our alerts disabled and are patiently waiting for the release of 7.1.2

I upgraded to 7.1.1 recently, although the issue still persists. Strangely, SPL-154136 is neither mentioned in the "known issues" or the "fixed issues" for 7.1.1, so hopefully it hasn't disappeared into a black hole!

yup, all works fine in 7.0.3.

k please open a support case and provide the saved search configs. I have asked our search teams to take a look and advise.

Hi mmodestino, thank you. I have filed a support case and will be meeting up with Splunk support team on WebEx for live troubleshooting.

Hi amitm05,

From my understanding, All Time (real-time) search alert only searches new events coming into the indexer. Once the event is indexed, it should not show up in the search result of the all time real-time search query. This is working well in previous version of Splunk before I tried the new release of Splunk Version 7.1.0.

I have tried to remove all my alert action and just adding the "Add in Triggered Alerts" action. Once an event trigger the alert, I keep receive constant stream of triggered alerts result under the triggered alert page. Each triggered result is showing the same set of results.

The default backfill for real time searches is set to true. You might want to check that in your limits.conf and set it to false. You will find this setting in "realtime" stanza. Something like:

[realtime]

default_backfill =
* Specifies if windowed real-time searches should backfill events
* Defaults to true

I have tried on both free license and paid license both are having the same problem.

Okay, then this seems to be a different issue. I was just guessing as I saw a few issues regarding realtime search with 7.1 recently.