How can I get unique events/results every time ale...

admin12345678 · ‎06-28-2020

Hi,

Suppose I have an alert, whenever that alert will trigger it should return a unique result only, I don't want those previous results of that same alert.

If my alert "A" triggering at "A1" time it will return "R1" results,

at "A2" time it should return "R2" results not "R1+R2" and

at "R3" times it should return "R3" results not "R1+R2+R3"

Please tell what are the things that I need to consider,

Alert search - index=jira "issue is not fixed"

condition- If number of results is greater than Zero

corn schedule - */5 8-10 * * *

time range - last 24 hours

Trigger - Once

Thanks in advance 🙂

The_Simko · ‎06-28-2020

If your condition is greater than zero, then why are you doing a 24 hour window? Set the search window to the same as your cron schedule. So only search the last 5 minutes.
That way you only get unique instances.

Or are you needing to do the 24 hour and want to implement throttles so you don't get nagged about the same issue every 5 minutes? If so, then set thresholding.

admin12345678 · ‎06-28-2020

Hi @The_Simko

Thanks for your assistance but It will not work if u see me corn schedule then you will understand that alert should trigger between 8 am to 10 am, so 1st alert of the day should be on last 24 hours or last 22 hours (i.e. yesterday's 10 am to today's 8 am) then after that if I applied on last 5 minutes then it's fine but if we mention 5 minutes initially then 1st alert of the day will run from 7:55 am to 8 am which is not desirable.

How can I get unique events/results every time alert matches conditions ?

configuration

using Splunk Enterprise

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?