Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Alerting on unique field occurrence

mzammit
New Member
‎07-10-2012 11:56 PM

Hi,

I'm trying to implement a search which raises alerts based on events with unique, but as of yet unknown keys within a given timeframe.  For example, if my indexer records the following six events:

11:59:10.000 Error TestClass with ID 902228 has failed with reason... 
11:59:00.000 Error TestClass with ID 8767 has failed with reason...
11:34:32.000 Error TestClass with ID 653 has failed with reason...
11:31:10.000 Error TestClass with ID 902228 has failed with reason...
11:29:00.000 Error TestClass with ID 3652 has failed with reason...
11:25:20.000 Error TestClass with ID 902228 has failed with reason...

I'd like to raise an alert email in real-time for each event which has a unique ID but throttle, over say a 15 minute time period.  So essentially the above event list will generate 5 alert emails i.e. 902228 generates an email at 11:25:20.000 and the following event with the same ID gets skipped and every other event generates an email (so we get 5 emails).

I've thought about/tried using a lookup but am finding it hard going trying to get the syntax right.

Is this the best way?  I'd be grateful if anyone could offer some advice or a potential solution.

0 Karma
Reply

kallu
Communicator
‎07-11-2012 03:03 AM

Sounds like Splunk alert throttling?
Extract TestClass ID -field, if you haven't done that already.

... | rex field=_raw "TestClass with ID (?<TestClassID>\d*)"

And now you can set throttling on TestClassID like shown in here

http://docs.splunk.com/Documentation/Splunk/latest/User/SchedulingSavedSearches#Define_alerts_that_t...

(scroll down to "Set up throttling for a per-result alert")

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...