Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alert setup

amirarsalan
Explorer
‎01-14-2020 06:36 AM

Hi all!
Need some help to setup an alert. I have created a alert but my issue is that the alert trigger all the time on the same results. My search is like this index="" sourcetype="" Something went wrong when parsing a offer for campaign, result is falsy | dedup campaign.id

I only want once alert per campaign but now i get same alerts on same campaigns.

My setup is:
Earliest: -10m
Cron Expression: */5 * * * *
Trigger: Once
Throttle: 10 minutes

Someone who can help with this?

Tags (1)
0 Karma
Reply

amirarsalan
Explorer
‎01-14-2020 07:41 AM

Hi @gcusello
Here is my code search

index="" sourcetype="" Something went wrong when parsing a offer for campaign, result is falsy | dedup campaign.id

I can change the time. Anyway it stil gives me same alerts

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-14-2020 06:43 AM

Hi @amirarsalan,
you have a ime period of 10 minutes and a frequency schedule of 5 minutes,this means that you use the same data two times in your alerts, could you reduce the time period or enlarge the frequency?
What's your trigger condition: could you share your search using Code Sample button (otherwise I cannot read your code)?

Ciao.
Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-14-2020 08:05 AM

Hi @amirarsalan,
you Use case requires that the alert is triggered when you have results to the search or when the result is higher that a threeshold?

Ciao.
Giuseppe

0 Karma
Reply

amirarsalan
Explorer
‎01-14-2020 01:33 PM

Hi @gcusello
Yes that's correct. But the problem here is that I get same results on my search. So when the alert run the search I got the same results and then I receive the same alert after 10 minutes etc. I want alerts when I have new errors on new campaigns. So I want to receive 1 alert per campaign.id error. Now I get spammed of same alert every 10 minutes

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-14-2020 10:28 PM

Hi @amirarsalan,
you could write the result of the search (the Campaigns) in a lookup (using outputlookup command) or (better) in a summary index (using collect comand) and exclude them from your search.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...