Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure real-time per-event alerts that trigger once on the same event ?

dhtran
Loves-to-Learn Lots
‎04-16-2020 06:10 AM

Hello,

I'm trying to figure out how to use Splunk to monitor payments processing, one of the business rules is to trigger 1 alert (and only 1) per payment as soon as it is "late".
a late payment means it is not processed in a predefined time window.

I have the search query that returns the results I needed.

But the challenges/prerequisites are :
- there's no per-event alert in Splunk, only per-result, which means a search query that returns 2 events will trigger 1 alert.
- having a search query that returns only 1 late payment at a time, in my case, is not possible.
- plus, I have a KPI "Nb of late payments" that needs to be decreased if the alerts on payments are deleted (via "Delete" action in Triggered Alert page).

Ex of a scenario :
I have 10 ongoing late payments, i want to yield 10 alerts individually. Then, if I delete 1 alert, I need to somehow "acknowledge" the payment to tell Splunk to :
1) stop yielding alert on this payment
2) add some data/flag/boolean to the payment so I can use it to filter the KPI to decrease its value (ex : search alert_acked=false")

Is it possible in Splunk to handle easily this scenario ?
Is there another way to achieve the same functionality ?

Thanks in advance for your help.

Labels (1)
Labels
0 Karma
Reply

to4kawa
Ultra Champion
‎04-16-2020 02:08 PM

make dashboard, output your confirm to csv, and make the query that check csv , search and fire alert.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...