×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
marthin
Engager
Member since: ‎08-16-2013
‎06-08-2021
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-16-2013
Activity Feed
Topics I've Started
View All

Re: Alert on "Number of results"

by in Alerting
‎06-08-2021 12:38 AM
‎06-08-2021 12:38 AM
Thanks Giuseppe. Yes well noted on the real-time, have changed it accordingly. Regarding "Number of Results" (as applied in Rela-time searches) have tested a bit deeper into the behaviour with a high frequency log stream (one per second, is a protocol timetick) and found the following: 1. The key is the rolling window concept in the Real-time search. The window shifts and is not a discrete timeframe excluding previous matched events. 2. The way I had it setup it created an email every 5 seconds, with the last ~300 events in the mail. Eg. Saved Search [SPLUNK ALERT - P3 - ESPMCASTPROBE B FEED]: number of events (299) 3. Received a mail once for each result that there were more than 10 events per search, which triggered every 5 seconds (12 per minute).   Having it now as a Scheduled search provides the result needed, ie. 1. Looking at the last 5 minutes 2. Evaluating if it has more than 10 events 3. Triggering the event accordingly 4. Scheduled search again for 5 mins ahead ("sleeping" for 5 mins)   many thanks ... View more

Alert on "Number of results"

by in Alerting
‎06-07-2021 09:13 AM
‎06-07-2021 09:13 AM
Hi all, Have been reading various pages and not getting there yet: https://docs.splunk.com/Documentation/Splunk/8.2.0/Alert/AlertTriggerConditions https://community.splunk.com/t5/Alerting/Can-someone-explain-when-I-would-use-quot-Once-quot-versus-quot/m-p/279202 https://community.splunk.com/t5/Alerting/What-does-quot-number-of-results-quot-means-when-configuring-an/m-p/234647 https://community.splunk.com/t5/Alerting/Trigger-alert-only-if-the-result-contain-more-than-one-host/m-p/454824   I have the following alert, with email as the action:   When it triggered it created about 33 mails. The idea is that it should have created only one. Any thoughts here plse? thanks guys ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎06-08-2021 04:22 AM