Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how can i receive an alert just for the new service

nessrine_talbi
Explorer
‎08-21-2020 04:16 AM

Hello, 

I created an alert, that alerts me about the service down but I need that when a service remains down from the last time I do not receive an alert for this service I only receive an alert for the new service down,

how can i do it 

please any help !!! 

| inputlookup services_oracle.csv | search NOT [search index=* sourcetype=srvscript | eventstats max(_time) as TimeEvent | where _time = TimeEvent | fields CMD ] | eval statut = "DOWN"
| table CMD statut

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-21-2020 07:04 AM
Consider adding a throttle to your alert. Have the throttle look at the CMD field and suspend alerts for 1 day.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...