Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

realtime alert for each event when reaching x number in y mins

jdinze
New Member
‎02-22-2018 01:26 AM

I am trying to configure a real time alert that will fire off one alert for each event found in a search. I want one alert per event, which i think i can do. the catch is i only want this to happen when there are 10 or more events in a specified time window (like 10 or more events in 5 mins).

I tried setting up a realtime alert with the following parameters, but it seems like the results aren't consistent. am i doing this completely wrong?

(basically just searching an index for alerts, this index shouldn't have many but i want to know when there are 10 or more events in 5 mins and what each one is)
Search: index=test
Trigger Condition: Number of results > 10, in 5 min, trigger for each result

This requires a throttle, but i dont want one so i set the field to one that wouldnt exist and the smallest suppression timer.

Throttle: suppression field = "none"
suppress triggering for 1 sec

Thanks,
splunk noob

Tags (1)
0 Karma
Reply

mayurr98
Super Champion
‎02-22-2018 02:17 AM

So you can modify your search as

index=test  | table _raw

What trigger actions you are using?
If you are using email then you need to attach csv/pdf in order to see raw events
If you want to see on Splunk then you need to choose Add to triggered alerts as alert action

Let me know if this helps!

0 Karma
Reply

jdinze
New Member
‎02-22-2018 06:30 AM

I want to try this, but can you tell me what table _raw does differently when it comes to triggering per result?

This is a custom alert action that sends an http notification to another system. i need one notification per result in the search (when the search yields more than 10 results). the external system will be utilizing these alerts with source IP information contained in the alert.

0 Karma
Reply

jdinze
New Member
‎02-22-2018 06:45 AM

i did try that, i think it actually stopped it from working as i am not getting any alerts now.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...