Solved: realtime alerts - exactly one alert per event ?

elenzil · ‎11-30-2011

i would like to set up a realtime alert which fires exactly once per matching search.
throttling is close to this, but not exactly.
eg, if i have two events in a sub-second window,
i want two alerts.

in the meantime, even with throttling, i'm finding myself getting > 1 alert per event.

is there something i'm missing ?

tia,
orion

Takajian · ‎11-30-2011

I do not think real time alert function is able to fire alert per each events. I heard next version 4.3 will have some improvment of real time alert functions.

View solution in original post

Takajian · ‎11-30-2011

I do not think real time alert function is able to fire alert per each events. I heard next version 4.3 will have some improvment of real time alert functions.

AditiKulkarni · ‎04-27-2015

Can we achieve this condition in Splunk 6.1.5?

elenzil · ‎11-30-2011

😕

thanks Takajian. i guess i'll approximate it w/ threshholds.

realtime alerts - exactly one alert per event ?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...