Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alert setup

amirarsalan
Explorer
‎01-14-2020 06:36 AM

Hi all!
Need some help to setup an alert. I have created a alert but my issue is that the alert trigger all the time on the same results. My search is like this index="" sourcetype="" Something went wrong when parsing a offer for campaign, result is falsy | dedup campaign.id

I only want once alert per campaign but now i get same alerts on same campaigns.

My setup is:
Earliest: -10m
Cron Expression: */5 * * * *
Trigger: Once
Throttle: 10 minutes

Someone who can help with this?

Tags (1)
0 Karma
Reply

amirarsalan
Explorer
‎01-14-2020 07:41 AM

Hi @gcusello
Here is my code search

index="" sourcetype="" Something went wrong when parsing a offer for campaign, result is falsy | dedup campaign.id

I can change the time. Anyway it stil gives me same alerts

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-14-2020 06:43 AM

Hi @amirarsalan,
you have a ime period of 10 minutes and a frequency schedule of 5 minutes,this means that you use the same data two times in your alerts, could you reduce the time period or enlarge the frequency?
What's your trigger condition: could you share your search using Code Sample button (otherwise I cannot read your code)?

Ciao.
Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-14-2020 08:05 AM

Hi @amirarsalan,
you Use case requires that the alert is triggered when you have results to the search or when the result is higher that a threeshold?

Ciao.
Giuseppe

0 Karma
Reply

amirarsalan
Explorer
‎01-14-2020 01:33 PM

Hi @gcusello
Yes that's correct. But the problem here is that I get same results on my search. So when the alert run the search I got the same results and then I receive the same alert after 10 minutes etc. I want alerts when I have new errors on new campaigns. So I want to receive 1 alert per campaign.id error. Now I get spammed of same alert every 10 minutes

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-14-2020 10:28 PM

Hi @amirarsalan,
you could write the result of the search (the Campaigns) in a lookup (using outputlookup command) or (better) in a summary index (using collect comand) and exclude them from your search.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...