We are using Splunk 6.4.2 and I have alerting setup on a specific search as follows:
index = wineventlogs
sourcetype = wineventlog_sec
host=SERVER12VWIN OR host=SERVER82VWIN OR host=SERVER13VWIN OR host=SERVER81VWIN OR host=SERVER180VWN OR host=SERVER14VWIN OR host=SERVER15VWIN OR host=SERVER83VWIN OR host=SERVER001VWIN OR host=SERVER049VWIN
We would like to be alerted for each event that comes up on the individual host; however, when the alerting happens, it creates multiple events under one alert. Unfortunately, due to the request of only wanting to alert on the specific 10 hosts out of 25 hosts, I have to include the host names in the search. I do have alert mode set to: "Once per Result". Is there something that can be changed so Splunk alerts if any of these hosts events show? As stated, we would like it to be one alert for each event.
Should I change the search or do I need to set up alerting individually for each one? Any suggestions would be greatly appreciated.
Thank you.
I was able to get the customer online to test and none of the changes we made affected the alerting to fire one per event. I went ahead and re-created the alerting with a fresh copy and we are getting better results now. Seems we just had a corrupt alert.
Thank you for all the suggestions and assistance.
I will give that a shot once I hear back from the customer on testing the |dedup host. Updates to follow. Thank you for all your time and suggestions.
Crappers. I just noticed this details after I posted my answer.
When you edit the alert from Alerts dashboard, on first page, the alert type will be 'scheduled'. Click on next to go to 'Enable action' screen, scroll down to 'Action options' section. Right now it should be 'Once' for 'When triggered execute actions'. Change it to 'For each result'. Please note that if there are more than 1 rows for a host in your resultset, you'll get that many alert. To be sure, I would run some aggregation on your alert search.
Thank you for your quick response and I do already have it set to trigger "for each result". I am trying to determine if having all the hosts in my search is creating contention in the trigger, as it returns multiple events for different hosts as one event trigger.