Splunk Search

Why does my real-time alert continue to send emails/sms?

blindfire_bandi
Explorer

I have a query for which I've configured a real-time alert when the query returns a result. I'm getting 25 to 35 emails and texts, and I really just need 1 of each. I'm not sure what I've set incorrectly here.

index = chm source="CH_HealthMonitorHighLevel"
| fillnull value=""
| eval StartTime = relative_time(now(),"-10m")
| where _time >= StartTime and (AppID == 16 or AppID == 41)
| where NOT StatusID == 0 AND NOT StatusID == 1

alt text

0 Karma
1 Solution

paranjith
Explorer

Real time searches run continuously and since, the window specified is 10 minutes, even for one result, it triggers multiple alerts. You can set the throttle to suppress triggering for 10 minutes (that way, the search waits for 10 minutes before triggering the alert again). Hope this helps

View solution in original post

bangalorep
Communicator

The alert is getting triggered repeatedly as the event will be populated multiple times in the 10 minute duration. If you run this search every 10 minutes you should get a single mail only.

0 Karma

whrg
Motivator

Can you post a screenshot of the Trigger Condition?

Also, is there a specific reason why you are using a real-time alert? Because real-time alerts are more costly in terms of computing resources than schedules alerts.

0 Karma

blindfire_bandi
Explorer

@whrg It's attached to the question as alert.png. As far as the real-time is concerned, we're using real-time because we have single value panels that turn yellow to warn and red to indicate "down" for several applications. The operators who are on-call will only be interested in being alerted when something is at the warn or down state.

0 Karma

paranjith
Explorer

Real time searches run continuously and since, the window specified is 10 minutes, even for one result, it triggers multiple alerts. You can set the throttle to suppress triggering for 10 minutes (that way, the search waits for 10 minutes before triggering the alert again). Hope this helps

blindfire_bandi
Explorer

@paranjith The throttling has fixed my issue. Thank you

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...