I have configured an alert notification on real-time issue and it's working. But I have facing a problem, that any new issue is appear wherever it has only single line error. I got multiple mail notification where the mail time differences was only for 4 seconds means I got 12mails in just one minute for the same single line error.
Where I want only single mail notification on single line real time error.
can anyone suggest/help me on this matter?
Thanks for you help. I wanted that kind of configuration. Now it's working fine.
But now I'm stuck in it's next step.
Whenever Splunk found any error, it's create a report in pdf format and send a mail notification.
So, suppose today I got four error alerts on different time. So in the first mail contain the first error with pdf but from the second mail alert I got the first error+the new error(second alert) , then in the third mail alert in the pdf I got first error+second error+new error(third error). It made more complicated to understand what is actually real time error, just because it contains previous errors.
My Real -time alert settings :
Alert Type : Real-Time
Trigger alert when : Per-Result
Throttle : Checked
Suppress results containing field value : *
Suppress triggering for : 24 hour(s)
Please help me on this matter.
If you have any links for this issue, please attach the link.
Ah, I would change the search time to be only last 60 minutes or few hours. Like you are seeing, since you are looking back 24 hours it is going to return any other alerts triggered in the last 24 hours.