Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About dwong-rtr
dwong-rtr
Explorer
Member since:
08-01-2024
08-19-2025
Community Statistics
| Posts | 8 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 08-01-2024 |
Activity Feed
- Posted Re: Tackling the Challenge of Anomalous Behavior in Multi-Category Metrics on Splunk Observability Cloud. 08-19-2025 06:28 AM
- Posted Tackling the Challenge of Anomalous Behavior in Multi-Category Metrics on Splunk Observability Cloud. 08-13-2025 07:41 AM
- Posted Re: Configure "From" Email Address for Email trigger actions on Splunk Cloud Platform. 07-31-2025 11:02 AM
- Posted Configure "From" Email Address for Email trigger actions on Splunk Cloud Platform. 07-30-2025 12:28 PM
- Got Karma for Re: Search/Job missing in job_manager. 10-19-2024 05:18 AM
- Posted Re: Search/Job missing in job_manager on Splunk Search. 10-17-2024 07:47 AM
- Posted Re: Search/Job missing in job_manager on Splunk Search. 08-06-2024 08:37 AM
- Posted Re: Search/Job missing in job_manager on Splunk Search. 08-05-2024 07:14 AM
- Posted Search/Job missing in job_manager on Splunk Search. 08-01-2024 11:08 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
08-19-2025
06:28 AM
So these are completely new metrics that were created as a result of an incident where we realized we were lacking visibility. While failures are easier to detect, my concern is with the lack of events. We are hoping to try to detect anomalies however we don't know what the next incident will look like. Sure, a complete drop off is detectable however if its a partial drop off, on a metric that has categories that include all different levels of drop offs….how does one do this?
... View more
08-13-2025
07:41 AM
Hello! Newbie here- We are monitoring a primary metric that has several different categories (tags), each with its own unique "normal" behavior. This makes it difficult to set up a universal alert system for when an issue occurs. The metric tracks a specific user action, and the categories represent the different types of that action. There are six distinct types, and while all of them generally show a drop in activity between 2 and 6 a.m., the extent of this drop varies significantly across the categories. My ask is , because this feels like a common scenario, what are we missing? What else can we alert on or monitor for this scenario? Here is a breakdown of the typical behavior for each category: Category A: Fairly consistent traffic during the day, rarely dropping to zero. Category B: Less constant traffic during the day; it can drop to zero during off-peak hours. Category C: Less traffic and less consistency than Category B; it can also drop to zero during off-peak hours. Category 😧 Even less consistent traffic during the day; it can drop to zero during off-peak hours. Category E: Very inconsistent traffic; it can drop to zero for longer periods, including the times outside off-peak hours. Category F: Very inconsistent traffic, similar to Category E, that can also drop to zero for extended periods and more often. We are currently have an SLO dashboard and have set up a few different detectors to test various alerting strategies. You can see more easily how the traffic differs in the dashboard. Alerting Strategies Detector 1 Trigger: An alert is sent if the failure rate for the primary metric exceeds 5% and the total number of actions meets a minimum threshold of 30. This condition must last for 15 minutes. Detector 2 Trigger: An alert is sent if the 20-minute moving average of the primary metric for Category A falls more than three standard deviations below its historical norm. This is based on the assumption that the data is cyclical over a one-week period. Detector 3 Trigger: An alert is sent if the 20-minute moving average of the primary metric for Category B falls more than three standard deviations below its historical norm. This, like Detector 2, is also based on a one-week cyclical pattern. Detector 4 Trigger: An alert is sent if the value of the primary metric for Category A drops below one for a continuous period of 45 minutes. Detector 5 Trigger: An alert is sent if the 20-minute moving average of the overall primary metric (summed across all categories) falls more than three standard deviations below its historical norm. This detector also assumes the data follows a cyclical pattern over a one-week period.
... View more
Labels
- Labels:
-
Splunk Observability Cloud
07-31-2025
11:02 AM
Thank you all for confirming and your various suggestions!!
... View more
07-30-2025
12:28 PM
We currently have email as a trigger action for Searches, Reports and Alerts. The issue arises when we try to email certain company email addresses because the address is configured to only allow internal email messages (like a distribution list type email address). The email coming from Splunk Cloud is from alerts@splunkcloud.com. We would prefer not to make internal email addresses allow receipt of external emails. There is no way to configure the "From" address in the Triggered Actions section. Ideally what was proposed was that we somehow configure Splunk to send the email as if it came from an internal service email address for our company. I found some documentation on Email configuration however where I would insert an internal email address to be the "FROM", the documentation states "Send email as: This value is set by your Splunk Cloud Platform implementation and cannot be changed. Entering a value in this field has no effect." Any suggestions on how to accomplish this without too much time investment?
... View more
Labels
- Labels:
-
configuration
10-17-2024
07:47 AM
1 Karma
So just to close the loop- after some deep diving by a splunk support rep the issues that caused me to not see all the jobs on that page were due to: 1- permission levels- I was not an ADMIN and so several private jobs were not visible to me 2- incorrect expectations on how the page should work. I assumed it should show all jobs from x amount of time, regardless of how often a job runs or any other job attributes. The page was intended be used real time and not so much for historical runs like from a month ago. 3- TTL - each job has a life expectancy that determines how long its visible on that page. The calculations are convoluted and not obvious. So some jobs might show for longer vs others depending on various things like scheduled search should adhere to that dispatch.ttl adhoc search should default to 10 minutes (no matter how long you are searching back alert should have a TTL that depends on the action that it is taking 4- a bug that created a 2025 expiry date on the TTL for some of my searches/jobs which contributed to the confusion as to why some jobs show and others dont.- Rep was unable to determine cause of the 2025 bug.
... View more
08-06-2024
08:37 AM
I also sorted by Owner ascending and going to page 2 where the user shows up and the job actually doesn't show up in the job manager page. I also tried to filter by the user and they don't show up as an option. I can only filter by me as Owner or All.
... View more
08-01-2024
11:08 AM
I currently do a search monthly for searches/jobs that take a long time. I then look up the job and if there is an alert associated with it. I will then work with teams/individuals to see if the job can be measured as a metric to trigger in SignalFX instead. However, there are some jobs I cannot find, and I think I am missing some part of the logic of how things work. I run this search index=_internal sourcetype=scheduler user!=nobody | table _time user savedsearch_name status scheduled_time run_time result_count | sort run_time desc Results look like this I try to look up the savedsearch_name (like Weekly Sort Options) on this page -splunkcloud.com/en-GB/app/search/job_manager but nothing comes up. Some savedsearch_name show up with results, others don't and I'm not sure why?
... View more
