Thank you for looking into this and providing some ideas. I'll get in touch with customer support. ... View more

@frobinson unfortunately I'm seeing two alerts again now: I see two alerts if ClientId NOT (some-id-1 OR some-id-2 OR some-id-3) I see one alert if ClientId = some-id-3 (<-- no alert should be triggered at all in this case) ... View more

Ok, I've updated the query and will wait a few hours to see how it works. Will let you know. (btw there should be only one closing bracket instead of two in your suggestion) ... View more

Ok, and what should I set for "Per result throttling fields"? ... View more

--ClientId== anything other than "some-id-1", "some-id-2", or "some-id-3" That's almost correct, see below. --Class== not "success_first_attempt" or "Server did not accept key" Class== not "success_first_attempt" is correct, the phrase "Server did not accept key" would appear in the 'Msg' key. So properly this part would be: --Class== not "success_first_attempt" and --Msg== not contain "Server did not accept key" but it also works if 'Msg' is omitted. --Mode== only installation That's correct what happens if you remove this from your query: Client = "*"? ClientId can be empty (ClientId=). In that case we don't want to trigger the alert. That's why I have the expression ClientId="*" in there. ... View more

I'll give you the _raw data which contains all the fields of an event: +++ 2016-01-12 17:57:28 +++ ClientId=my-clientid HostId=my-hostid Hostname=my-hostname Platform=Linux (Ubuntu 12.04.5 LTS) Versions=app1:1.3.3,app2:1.2.0 Mode=Installation Class=PROCESS_NOT_RUNNING Msg=One or more processes are not running (I've replaced some field values since they contain sensitive data) ... View more

The double alerts are gone. Instead I'm now seeing event alerts that shouldn't trigger because 'ClientId=some-id-3' and my query (see above) should filter those out. But that's a different problem. ... View more

Ok, I've enabled throttling and will let you know soon if that works. ... View more

Splunk Version 6.3.1511.1 Splunk Build 90ea9ab275dc List of Products: retention Server Name ip-192-168-92-140 [...] Current Application: Search & Reporting App Version 6.3.1511.1 ... View more

Hi @frobinson, thanks for your reply. This is the configuration of my alert: Query: index=tv-* ClientId NOT (some-id-1 OR some-id-2 OR some-id-3) ClientId="*" Class NOT SUCCESS_FIRST_ATTEMPT NOT "Server did not accept key" Mode=Installation Trigger Condition: Per-Result Alert Type: Real-time No throttling. Where would I find the software version? Daniel ... View more

I'm seeing the same behavior with an alert that I configured. The alert is triggered twice but the event only happens once. To be safe I deleted and re-created the alert but the problem didn't go away. Is this an issue with Splunk alerts? ... View more

This did the trick! Thank you. ... View more