I have setup alerts based on a scheduled search in the logs. The application writes a log messages every minute while the error persists, therefore splunk gives out an email per message.
can some one help me with a syntax to avoid reading recurring alerts...
I am clueless in how to approach this problem...ignorance.
Thanks.
Check out the alert throttle app:
http://blogs.splunk.com/2010/06/01/alert-throttling/
It should help to reduce the number of alerts you receive. You could run your saved search once a minute but only receive notifications once an hour (or whatever interval you like) after the first alert is generated.
Check out the alert throttle app:
http://blogs.splunk.com/2010/06/01/alert-throttling/
It should help to reduce the number of alerts you receive. You could run your saved search once a minute but only receive notifications once an hour (or whatever interval you like) after the first alert is generated.