I have created a alert that sends 100 results to 100 indivisuals. The alert mode was kept as "Once per result".But each time it is triggered,it runs for 4 minutes and within that time only 4 people get the alert and rest don't.
Please suggest to fix this problem
It is entirely likely that the problem is that you are being throttled by your email system itself. The best way to handle this is to create an email distribution list in your email system so that you send to 1 email address and the email system distributes to everyone else. Many enterprise companies use xMatters
and Splunk integrates with this well:
https://splunkbase.splunk.com/app/2901/
Also, Once per result
will send 100 emails to 100 people with 1 event in each email which is surely not what you desire; change to the other setting to send 1 email to 100 people with 100 events in each email.
I am providing here an illustration of my search that would run as an alert:
EnterpriseID ReportingMonth BookedHours WorkingHours Email SupervisorID
a.b.c May,2017 12 20 a.b.c@gmail.com a.x@gmail.com
d.e.f May,2017 20 20 d.e.f@gmail.com a.1@gmail.com
d.e.g May,2017 19 20 d.e.g@gmail.com a.2@gmail.com
The query is written in such a way that this quuery will send the booked hours and working hours result only to those who have booked hours less than working hours.
Since individuals need to get the result here,so i have kept the alert mode as "Once per Result".I cannot use Once per search here.
The problem is the alert only runs for 5 minutes and only send 4-5 results within those 5 minutes and then it expires.
But i need all those who satisfy the mentioned condition to receive the mail alert.
Please do the needful
How are you getting it to send to each user and not to all users? Are you using tokens? Show the entire search and the alert settings and maybe we can help (or devise an alternative).
Like i said,
If email is a.b.c@gmail.com the booked hours is 12 and working hours is 20.
Since booked hours is less so an email should be sent from server to his mail notifying this.
I cannot send it to all users at a time (which is "Once per search" mode in mail settings) since every user must get his/her individual alerts.
I am providing below a summary of my query:
"|Query for calculating the number of days in a week|append[|Macro for bringing out latest values from TicketMaster source]
|joining a primary key with another macro for calculating booked hours of respective employee|eval Email=employee+"@domain.com"|
A Search command to extract those employees from the table whose booked hours is less than working hour
note:working hours is calculated from the first statement of the query "Query for calculating the number of days in a week"."
This query gives a table which contains Employee Id,booked hours ,working hours respective domain and email id along with their supervisor's Id.This sends an alert to those employees who are mentioned in the table (which is generated by above query).
Here are my mail settings:
Expiration:after 24 hours
Severity:Critical
Schedule type : Cron
Cron Schedule:runs the alert every day except weekends "10 12 * * 1-5"
alert mode:Once Per Result
alert conditions:Always
Throttling checkbox:not checked
Alert Actions checkbox:checked
To field: $result.Email$
cc:$result.SupervisorId$
Actually my mail alert sends to 100 individuals so i kept the mode as Once Per Result
And in my output i am bringing a column email id.Based on this i am sending one mail to different individuals with their respective result.So i cant use here "Once Per Search " mode