We have a Splunk Alert set up with the following configuration: SETTINGS Alert type = Scheduled (Run on Cron Schedule) Time Range = Today Cron Expression = ***** Expires = 24 hours TRIGGER CONDITIONS Trigger alert when = Number of Results > 0 Trigger = Once Throttle = Ticked Suppress triggering for = 1 day TRIGGER ACTIONS When triggered - Add to Triggered Alerts - Send email The issue that we are experiencing is that if we have 3 events occur at different times throughout the day, we are only receiving an email for the first one. Also, the following day (within the 24 hour period from the previous alert) we are not receiving any email notifications. In all cases if I select the Splunk Alert and view the results I see all the events shown here, including those for which no email notification was received.. I believe the issue here has to do with the following settings: Trigger = Once Throttle = Ticked Suppress triggering for = 1 day From the Splunk documentation it is not clear whether all Splunk alerts would get suppressed after the first one, or just repeated Splunk Alerts for the same event. I am assuming that it's the former as this would explain why we don't see any further email notifications until the 1 day / 24 hour period expires(?) I think changing the settings to the following: Trigger = For each result Throttle = Ticked Suppress triggering for = 1 day Will at least mean that we receive only one event in each email notification (for simultaneous alerts ... another issue that exists) but will not fix the suppressed email notifications. Furthermore, removing the Throttle seems to just continuously alert on the same event. I want to keep the "Scheduled Alert" type (rather than "Realtime") due to the set-up that we have here and also I am unable to play around too much with the configuration in test as we do not have email notifications in this environment (only in our live environment). The goal, in case it's not yet clear from the above, is to receive a single email notification for each event. Can you please advise / suggest the correct change that I should make to achieve this?
... View more