Alerting

Why am I not getting an alert for each matching event, even after selecting "For Each" on alert actions page?

SomnathShilimka
Explorer

Hi All,

I am using Splunk 6 and below is the issue i am facing.

i have setup an alert (scheduled alert) for 5 minutes time. As per my search string during that 5 minutes i can see around 16 events are generating. while creating an alert i have selected Per Result as execution action. means for 16 events 16 alerts must get generated.

but when i check after sometime(5-6 minutes), i can see only one alert representing 16 events. ideally there should be 16 alerts generated. but in my case this is not working. i tried it on Splunk 5 too but same issue.

Please explain why this is happening ?

Thanks & Regards,
Somnath

Tags (1)
0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

I'm willing to bet the problem is that you aren't generating results. Merely returning 16 "events" will not translate into "results". Raw events count as 1 result. If you add some table or stats, you should get what you are looking for. Try adding something like this:

<your_search> | table _time _raw

This should give you a table with _time and _raw in it, probably 16 results. You will probably want to change that, but it should prove to alert 16 times..

0 Karma

SomnathShilimka
Explorer

Hi,

Thanks for the reply. i am new to Splunk therefore not very much skilled in it,

I have added above command suggested by you but it did not help.

i am trying below search.
sourcetype=access_combined* status=404

over 5 minutes it gives me around 15-20 matching events, therefore i decided to create an alert(scheduled alert) which will generate 15-20 alerts (one alert for each). but somehow it shows me only one alert after 5 minutes.

Please help me in it. how can i achieve getting same number of alerts as number of events matched ?

Regards,
Somnath

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust
sourcetype=access_combined status=404 | stats count by status host

Try that, you add in the items at the end to generate the results.

0 Karma

SomnathShilimka
Explorer

Hi,

above search gave me 3 results (as we have used stats command) and around 39 matching events.

per my understanding this time it should have generated 3 alerts (as number of results is 3), but still it is showing me only one alert in alert manager.

I saw splunk education video for alerting in which they have said if you want alert for each result then select For Each in actions. but unfortunately this is not happening.

Thanks & Regards,
Somnath

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...