Splunk Search

How to edit my search to alert once per result for multiple hosts?

CaptainHook
Communicator

We are using Splunk 6.4.2 and I have alerting setup on a specific search as follows:

index = wineventlogs 
sourcetype = wineventlog_sec 
host=SERVER12VWIN OR host=SERVER82VWIN OR host=SERVER13VWIN OR host=SERVER81VWIN OR host=SERVER180VWN OR host=SERVER14VWIN OR host=SERVER15VWIN OR host=SERVER83VWIN OR host=SERVER001VWIN OR host=SERVER049VWIN

We would like to be alerted for each event that comes up on the individual host; however, when the alerting happens, it creates multiple events under one alert. Unfortunately, due to the request of only wanting to alert on the specific 10 hosts out of 25 hosts, I have to include the host names in the search. I do have alert mode set to: "Once per Result". Is there something that can be changed so Splunk alerts if any of these hosts events show? As stated, we would like it to be one alert for each event.

Should I change the search or do I need to set up alerting individually for each one? Any suggestions would be greatly appreciated.

Thank you.

1 Solution

CaptainHook
Communicator

I was able to get the customer online to test and none of the changes we made affected the alerting to fire one per event. I went ahead and re-created the alerting with a fresh copy and we are getting better results now. Seems we just had a corrupt alert.

Thank you for all the suggestions and assistance.

View solution in original post

0 Karma

CaptainHook
Communicator

I will give that a shot once I hear back from the customer on testing the |dedup host. Updates to follow. Thank you for all your time and suggestions.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Crappers. I just noticed this details after I posted my answer.

0 Karma

somesoni2
Revered Legend

When you edit the alert from Alerts dashboard, on first page, the alert type will be 'scheduled'. Click on next to go to 'Enable action' screen, scroll down to 'Action options' section. Right now it should be 'Once' for 'When triggered execute actions'. Change it to 'For each result'. Please note that if there are more than 1 rows for a host in your resultset, you'll get that many alert. To be sure, I would run some aggregation on your alert search.

0 Karma

CaptainHook
Communicator

Thank you for your quick response and I do already have it set to trigger "for each result". I am trying to determine if having all the hosts in my search is creating contention in the trigger, as it returns multiple events for different hosts as one event trigger.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...