Solved: How can I delete the following duplicate alerts?

lifekis · ‎12-14-2018

index=av source=avRawvirusAlertLog
| table CLIENTTIME, CLIENTIPADDR, NAME, PATH, STATUS_msg, SCANTYPE_msg

edit alert
alert type: reserved
time range: Last 60 minutes
cron: /30***
trigger: result count > 0
trigger: once

when I receive Splunk alert, always duplicate twice..

How can I solve it?

skoelpin · ‎12-14-2018

You're getting duplicate alerts because of the way you setup your cron schedule and the timerange. Your timerange is saying look back the last 60 minutes and run the alert every 30 minutes. Maybe an example will clear this up

Say its 6pm and your alert fires and checks if the count is greater than 0. The alert will look from 5pm - 6pm.. At 5:59pm you did have a result count greater than 0, so this triggers an alert action. Then your alert fires again at 6:30pm and looks over the timerange 5:30pm - 6:30pm and sees the exact same condition that the first alert fired (i.e. at 5:59pm). You need to either decrease your timerange to have it match the cron expression or increase your cron expression to match the timerange

View solution in original post

skoelpin · ‎12-14-2018

You're getting duplicate alerts because of the way you setup your cron schedule and the timerange. Your timerange is saying look back the last 60 minutes and run the alert every 30 minutes. Maybe an example will clear this up

Say its 6pm and your alert fires and checks if the count is greater than 0. The alert will look from 5pm - 6pm.. At 5:59pm you did have a result count greater than 0, so this triggers an alert action. Then your alert fires again at 6:30pm and looks over the timerange 5:30pm - 6:30pm and sees the exact same condition that the first alert fired (i.e. at 5:59pm). You need to either decrease your timerange to have it match the cron expression or increase your cron expression to match the timerange

kmorris_splunk · ‎12-14-2018

First I would ask if you are getting multiple results in your search. Next I would ask if you are triggering the alert Once, or for each result. If for each result, are you seeing duplicate values for the results. For example if you want an alert for each CLIENTIPADDR, and you possible have 2 rows in your table with the same value for CLIENTIPADDR. If so, you could use dedup in your search or something. Have you tried throttling in the alert config?

osakachan · ‎12-14-2018

What are you receiving? An e-mail or other thing?

Can you add information about time of alerts and logs who trigger the alert?

lifekis · ‎12-16-2018

I got an email.
receive the same message 30 minutes after receiving the first warning message.

skoelpin · ‎12-17-2018

You should read my answer below if you want to fix your issue...

whrg · ‎12-14-2018

Your cron expression looks weird. If you meant every 30 minutes then type:

*/30 * * * *

EDIT: Never mind. I can see this is a formatting issue on splunkanswers when not using code blocks.

How can I delete the following duplicate alerts?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!