Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I delete the following duplicate alerts?

lifekis
Explorer
‎12-14-2018 12:16 AM 
index=av source=avRawvirusAlertLog
| table CLIENTTIME, CLIENTIPADDR, NAME, PATH, STATUS_msg, SCANTYPE_msg

edit alert
alert type: reserved
time range: Last 60 minutes
cron: /30***
trigger: result count > 0
trigger: once

when I receive Splunk alert, always duplicate twice..

How can I solve it?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎12-14-2018 06:46 AM

You're getting duplicate alerts because of the way you setup your cron schedule and the timerange. Your timerange is saying look back the last 60 minutes and run the alert every 30 minutes. Maybe an example will clear this up

Say its 6pm and your alert fires and checks if the count is greater than 0. The alert will look from 5pm - 6pm.. At 5:59pm you did have a result count greater than 0, so this triggers an alert action. Then your alert fires again at 6:30pm and looks over the timerange 5:30pm - 6:30pm and sees the exact same condition that the first alert fired (i.e. at 5:59pm). You need to either decrease your timerange to have it match the cron expression or increase your cron expression to match the timerange

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎12-14-2018 06:46 AM

You're getting duplicate alerts because of the way you setup your cron schedule and the timerange. Your timerange is saying look back the last 60 minutes and run the alert every 30 minutes. Maybe an example will clear this up

Say its 6pm and your alert fires and checks if the count is greater than 0. The alert will look from 5pm - 6pm.. At 5:59pm you did have a result count greater than 0, so this triggers an alert action. Then your alert fires again at 6:30pm and looks over the timerange 5:30pm - 6:30pm and sees the exact same condition that the first alert fired (i.e. at 5:59pm). You need to either decrease your timerange to have it match the cron expression or increase your cron expression to match the timerange

0 Karma
Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎12-14-2018 06:22 AM

First I would ask if you are getting multiple results in your search. Next I would ask if you are triggering the alert Once, or for each result. If for each result, are you seeing duplicate values for the results. For example if you want an alert for each CLIENTIPADDR, and you possible have 2 rows in your table with the same value for CLIENTIPADDR. If so, you could use dedup in your search or something. Have you tried throttling in the alert config?

0 Karma
Reply
Solved! Jump to solution

osakachan
Communicator
‎12-14-2018 05:21 AM

What are you receiving? An e-mail or other thing?

Can you add information about time of alerts and logs who trigger the alert?

0 Karma
Reply
Solved! Jump to solution

lifekis
Explorer
‎12-16-2018 11:11 PM

I got an email.
receive the same message 30 minutes after receiving the first warning message.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎12-17-2018 06:32 AM

You should read my answer below if you want to fix your issue...

0 Karma
Reply
Solved! Jump to solution

whrg
Motivator
‎12-14-2018 04:46 AM

Your cron expression looks weird. If you meant every 30 minutes then type:

*/30 * * * *

EDIT: Never mind. I can see this is a formatting issue on splunkanswers when not using code blocks.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...