Alerting

Mutiple alerts from scheduled real-time search in search head pool

echalex
Builder

Hi,

I'm seeing a weird issue. We have a setup of three search head pools. One user has a real-time search creating an alert. These alerts are sending out three emails, one from each search head, for an individual event. When I inspect the search in question, I see that it has four instances running.

Is this normal or have I configured something wrong?

I'm also unsure as to whether I should set the "Alert mode" to "Once per search" or "Once per result". It was set to "Once per result" when this happened.

0 Karma

ewoo
Splunk Employee
Splunk Employee

If you configure the realtime search as described here: http://answers.splunk.com/answers/83305/shared-realtime-searches-possible/83308

... then you should only end up with one "instance" of the search running across your entire pool.

I'm assuming here that you have "three search heads in a pool" and not "three [distinct] search head pools".

0 Karma

Lucas_K
Motivator

The link you posted doesn't help at all.

OP is running a scheduled search with an email alert.

There are work arounds ( http://answers.splunk.com/answers/127719/search-pooling-and-alerting ) but this totally changes usage and architecture of how users interactive with splunk.

I've run into this issue today and have yet to find a solution.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...