Re: Health Rule - Wait time after violation

Benjamin_Andres · ‎05-02-2023

Hello Everyone,

Looking for a little clarity on how to best use the "wait time after violation" option when constructing a health rule.

Our thought was that we did not want teams to receive alerts for the same issue, so we tried to set the value at 1440 (one day) so the team would only get one alert per day, until it resolution.

I think this may be causing an issue though, we had a brief violation of a rule yesterday evening at 5 pm cst, but then the value went back to being underneath the threshold (no longer violating). Even though it's been 22 hours since the violation, the health rule is still showing that its violating.

I believe having "wait time after violation" set to 24 hours, it is not allowing the health rule to re-evaluate its status. is that how it is working? I am just trying to gain confidence in how it is meant to operate.

Any input is greatly appreciated!

(Images attached for reference)Last violation - 22 hours agolast 1 hour - well under thresholdwait time after violation

Satbir_Singh · ‎05-02-2023

Hi,

HR are evaluated every minute, please read the info on the right side after entering the value. Seems like we are missing something here.

Thanks,
Satbir Singh

Health Rule - Wait time after violation

Controller

Licensing

User Management

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation