Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

a real-time alert error

splunk-user
New Member
‎02-25-2021 12:02 AM

Hello, I want to create a real-time alert. I call the rest interface:

https://<host>:<mPort>/services/saved/searches

, and the parameter is:   is_ visible=1&cron_ Schedule = * * * * * & Description = real time data 25 & alert_ comparator=greater than& alert.digest_ mode=0& action.webhook.param .url= www.ceshi:8099/splunk/webhook/alert& dispatch.earliest_ time=rt-60s&alert_ threshold=30&realtime_ schedule=true&alert_ type=number of events&search=ip=192.168.21.222& alert.expires=15d&name=417218432270925848&output_ mode=json& dispatch.latest_ time=rt-0s&disabled=0&is_ scheduled=true&actions=webhook

However, the error display is returned: 400 bad request: [{"messages": [{"type": "error", "text": "per result alert throttling require at least one throttling field, use * to throttle on all fields"}]}],

Is there a problem with the parameter I passed? Or is there an error in the SPL statement?

Labels (2)
Labels
Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...