Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can realtime alerting actions be run only once per event?

Lowell
Super Champion
‎02-01-2012 07:11 AM

I'm trying to trigger a scripted action based on specific Windows services starting and stopping. I setup a realtime savedsearch to detect the condition, trigger my scripted action, and send me an email. The problem is that when the condition occurs, I get pummeled with emails and the triggered action gets launched repeatedly (several times a minute). The same event is alerted upon multiple times.

The realtime saved search is configured to accept anything from the past 10 minutes, i.e. rt-10m. During a reboot, it's possible that a monitored Windows service could be shutdown after splunkd and therefore the shutdown event wouldn't be forwarded until the system is back up.) The alert action gets triggered repeatedly for the same event during that 10 minute window.

On similar questions, others have suggested using the alert throttle. But that effectively disables the alert temporarily which also prevent new events from being seen. For example, if the service comes back online in under 10 minutes the "service-up" event would be suppressed by the throttle. Loosing events isn't acceptable in this use case.

I need something like a trigger-level dedup that just gives me a single copy of each event!

Note: I'm currently running Splunk 4.2, but I've heard about "Per-result alerting" in 4.3. I'm not sure that helps me here, but any feedback regarding this is welcomed.

0 Karma
Reply

BenAveling
Path Finder
‎09-17-2013 09:38 PM

If you aren't still on splunk 4.2, per-result alerting now allows you to suppress based on a field.

So you could suppress based on service - i.e. suppressing alerts on one service needn't mean suppressing alerts on other services.

See http://docs.splunk.com/Documentation/Splunk/5.0.4/Alert/Defineper-resultalerts

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...