only alert on new events

New Member

Hi everyone,

We recently set up Splunk for testing. One of the features I'm most interested in right now is the "Alert" functionality.

I have created a alter that runs every day at 06:00. The alert find the events I'm searching for and creates a alert. The only issues is that every new alert also includes events that are older than 24 Hours. I would like to only alter on events that are newer than 24 hours.

Is this possible?

/ Alexander

Tags (2)
0 Karma

Re: only alert on new events


Sure. Define the timerange for the search you're using to be last 24 hours. Have a look at the section "Start by defining and saving a search" in this section of the docs:

View solution in original post

0 Karma