Mutiple alerts from scheduled real-time search in ...

echalex · ‎05-03-2013

Hi,

I'm seeing a weird issue. We have a setup of three search head pools. One user has a real-time search creating an alert. These alerts are sending out three emails, one from each search head, for an individual event. When I inspect the search in question, I see that it has four instances running.

Is this normal or have I configured something wrong?

I'm also unsure as to whether I should set the "Alert mode" to "Once per search" or "Once per result". It was set to "Once per result" when this happened.

ewoo · ‎06-27-2014

If you configure the realtime search as described here: http://answers.splunk.com/answers/83305/shared-realtime-searches-possible/83308

... then you should only end up with one "instance" of the search running across your entire pool.

I'm assuming here that you have "three search heads in a pool" and not "three [distinct] search head pools".

Lucas_K · ‎07-27-2014

The link you posted doesn't help at all.

OP is running a scheduled search with an email alert.

There are work arounds ( http://answers.splunk.com/answers/127719/search-pooling-and-alerting ) but this totally changes usage and architecture of how users interactive with splunk.

I've run into this issue today and have yet to find a solution.

Mutiple alerts from scheduled real-time search in search head pool

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!