Splunk Search
Highlighted

How to edit my search to prevent getting multiple alerts?

New Member

Created a search to monitor members added/removed from a group. It's working in search, but in the alert email for deletion of one member from the group, we're getting thousands of alerts. Please see the search and correct if I did anything wrong.

index=wineventlog sourcetype=WinEventLog:Security (EventCode=4728 OR EventCode=4729) Group_Name=SGG_Emergency_Database_Access Group_Domain=HSUSERS
| eval Date=strftime(_time, "%Y/%m/%d %H:%M:%S")
|rex "Member:\s+\w+\s\w+:.*\\\(?.*)"
| rex "Account\sName:\s+(?.*)"
| stats count by Date, TargetAccount, SourceAccount,ComputerName,Group_Name,Group_Domain,Keywords,name | sort - Date
| rename name as "Message"
| rename SourceAccount as "Administrator Account" 
| rename TargetAccount as "Target Account"
0 Karma
Highlighted

Re: How to edit my search to prevent getting multiple alerts?

SplunkTrust
SplunkTrust

How many rows this search returns? Could you provide other information about the alert like time range, schedule, alert condition, throttling and alert type (per-result OR once-per-result)?

0 Karma
Highlighted

Re: How to edit my search to prevent getting multiple alerts?

New Member

It returns one row and have selected per result. But don't know why it is sending multiple email alerts for one member added or removed.

0 Karma
Highlighted

Re: How to edit my search to prevent getting multiple alerts?

SplunkTrust
SplunkTrust

What about the schedule and time range? If you've overlapping timerange (e.g. running every 5 min and time range is last 30 mins, there is 25 mins overlapping between each alert execution), it'll cause repeated alert.

0 Karma
Highlighted

Re: How to edit my search to prevent getting multiple alerts?

New Member

Selected All Time(Real Time). What time range should I select ?

0 Karma
Highlighted

Re: How to edit my search to prevent getting multiple alerts?

SplunkTrust
SplunkTrust

That's not good. I generally avoid real-time search, specially scheduled real-time search. If you're OK with 6 min delay in getting the result, they use this

Start time:  -6m@m 
End time: -1m@m
Cron Schedule: 1-59/5 * * * *
0 Karma
Highlighted

Re: How to edit my search to prevent getting multiple alerts?

New Member

From time picker what time range do I need to select?

0 Karma
Highlighted

Re: How to edit my search to prevent getting multiple alerts?

New Member

While scheduling this search to alert

0 Karma
Highlighted

Re: How to edit my search to prevent getting multiple alerts?

SplunkTrust
SplunkTrust

Go to advanced section in the time-range picker, and use earliest as -6m@m and latest as -1m@m.

0 Karma
Highlighted

Re: How to edit my search to prevent getting multiple alerts?

New Member

As you instructed to change in alert Start time: -6m@m
End time: -1m@m
Cron Schedule: 1-59/5 * * * *

I did it and checked in time picker and picker is showing custome and same time has already updated. But not getting the result.

0 Karma