Configuring Alerts

MichaelBernas · ‎07-25-2013

Hello,

I have been using splunk as a syslog server for a while now and have around 8 - 10 alerts tat I have created. I have recently had issues with creating any additional alerts and have pretty much determined that it is because I have hit a limit on how many real time alerts I have setup.

I am now going through all my alerts to see which ones I don't need to have real time alerting on. My question is this. I want to perform a search every 5 minutes...if a search comes up with a specific search string within that 5 minutes, I would like it to alert once for every time it is found.

Is this achieved just by setting up a basic schedule as well as setting the time range? And would I do something like having the start time at -5m and the finish time to now?

Thanks for your help....

jtrucks · ‎07-25-2013

Set up the search to run every five minutes, with the time interval as:

Start time: -5m@m Finish time: now

Next, Set "Alert mode" to "Once per result" to get a separate alert per result found rather than a single alert for the whole search across the 5 minutes.

Just be sure to set it up to send email and you are set.

--
Jesse Trucks
Minister of Magic

MichaelBernas · ‎07-26-2013

Thanks jtrucks,

I had set the start time to -5m. What is the difference between what I set and -5m@m.

I appreciate the help!

Configuring Alerts

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!