im getting 5 alerts within 1 hour via email and again the next hour im getting the same alerts what is the best way i can hold this.
i have used where count > N ...it seems it not a good approach as i have N of other alerts...please let me know what is the best way to do it..
There is a throttling mechanism built into the Alerts
area but it must be "opened up" by clicking on the checkbox next to the Throttle
label.
There is a throttling mechanism built into the Alerts
area but it must be "opened up" by clicking on the checkbox next to the Throttle
label.
It might also help to define the terms...
@jw44250 - You can use what is called a "throttle" setting to tell splunk not to send you the same alert for a period of time after the alert fires. You choose how long the throttling lasts, by accessing those settings that @maciep mentioned, @woodcock explained, and @SloshBurch pointed you to the docs for...
@woodcock strikes again!
Although, one day I'll entice him to post docs links in his superman posts 😉 (said with love my friend)
@jw44250 - To learn more: http://docs.splunk.com/Documentation/Splunk/latest/Alert/ThrottleAlerts
Thanks guys...End up with both approaches..
OK, be sure to 'UpVote' everyone and click Accept
to close the question.
I do it sometimes but I have too many plates spinning to do it all the time! Besides, then what would the docs team guys do?
;p
hahaha 😉
I'll give the dumb answer...change the schedule of your alert to be when you want to receive it. And only run the search over the period you want for that schedule.
Or if you're problem is that you keep getting the same alerts, you can throttle them for some duration based on some fields.
Could you please provide the search that's being run and the trigger condition?
There are also a variety of Alert Examples in the docs you may want to review.