Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I get 1 alert per condition rather than getting several?

skoelpin
SplunkTrust
SplunkTrust
‎01-08-2016 09:07 AM

I have a search which uses the transaction command to group 2 events together. I then added a where clause to sort the events that had a duration>2 seconds.. I then saved the search as an alert.. Now every time the duration>2 seconds, I get 3 identical emails with a different trigger time for each. I'm viewing the logs in real time and verified that only 1 event came in that was greater than 2 seconds, even though I'm getting 3 emails. How can I change this where I will only get 1 email anytime duration>2?

My Search 

index=unleashed Call="<CreateOrder*"  | transaction GUID startswith="fterReceiveRequest" endswith="BeforeSendReply" | where duration>2
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎01-12-2016 10:55 AM

Hmm. It makes sense to not want to throttle.

I'm formulating the problem to myself as how do we represent event uniqueness - you want to search in the last -15m for example but run this search every 5 minutes? I still think it makes more sense just to run the search every 5 minutes and search over the last 5 minutes. That way, there aren't any duplicates that are found. Because right now, it sounds like you are running a search that looks back farther than the cron schedule - and I think that is the main problem.

I'm sure there are better ways to do this - here is the first thing that came to mind:

 index=unleashed Call="<CreateOrder*"  
| transaction GUID startswith="fterReceiveRequest" endswith="BeforeSendReply" 
| where duration > 2
| eval hash = md5(GUID + _time)
| eval time = _time
| search NOT [| inputlookup hashed.csv | return hash]
| where _time > now() - (15 * 60) # NOTE : this could be whatever your time range is
| outputlookup hashed.csv

View solution in original post

Reply
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎01-12-2016 10:55 AM

Hmm. It makes sense to not want to throttle.

I'm formulating the problem to myself as how do we represent event uniqueness - you want to search in the last -15m for example but run this search every 5 minutes? I still think it makes more sense just to run the search every 5 minutes and search over the last 5 minutes. That way, there aren't any duplicates that are found. Because right now, it sounds like you are running a search that looks back farther than the cron schedule - and I think that is the main problem.

I'm sure there are better ways to do this - here is the first thing that came to mind:

 index=unleashed Call="<CreateOrder*"  
| transaction GUID startswith="fterReceiveRequest" endswith="BeforeSendReply" 
| where duration > 2
| eval hash = md5(GUID + _time)
| eval time = _time
| search NOT [| inputlookup hashed.csv | return hash]
| where _time > now() - (15 * 60) # NOTE : this could be whatever your time range is
| outputlookup hashed.csv
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-13-2016 08:08 AM

I took a different approach and set the search to look within a 1 minute time frame then set the cron schedule for 1 minute and this works much better. You gave me the idea from your original post so I'll give you credit for the answer. Thanks for your help!

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎01-13-2016 09:36 AM

Awesome. That seems like the right approach - same cron & timeframe. Glad you figured it out.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-08-2016 09:57 AM

Is it a real-time saved search OR you're executing at a certain interval?

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-11-2016 07:19 AM

Can I get an update on this?

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎01-11-2016 07:42 AM

If its every 5 minutes:

00:00 - 1 event matched - triggered
00:05 - 1 event matched - triggered

00:10 - 1 event matched - triggered
00:15 - 0 events matched - nothing triggered

all three are the same event?

It sounds like you have the window of the search too large - so that multiple runs pick up the same information. You can change the window of your root search, or you could use alert throttling to make it not trigger for 10 minutes after (less desirable solution IMO).

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-11-2016 11:40 AM

Thanks for the quick response! Would there be anyway to keep the 5 minute window but only have it alert on new events which fit the criteria rather than alerting on events that fall into that 5 minute window?

I'd rather not throttle because it means we could miss events where the duration is greater than 2 seconds. We primarily want this for getting a lot of alerts in a short time period which would let us know there's a problem.

If there's no way to have it alert on only new events in that 5 minute window, then would you recommend me decreasing that 5 window to a 30 second window?

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-08-2016 10:07 AM

It's on a cron schedule for every 5 minutes. We sometimes have multiple alerts within that 5 minute time window, and sometimes we can have 0 or 1 alert within that 5 minute time window

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...