My Splunk alerts are configured to send an e-mail when triggered. How do I make sure that Splunk only sends one e-mail per violation? It seems to be sending multiple emails everytime for same violation.
Settings are as follows
Run on cron schedule
time range: -24h
cron: 42 * * * *
trigger when number of results is >0
trigger : Once
throttle : 60s
You run the search every 42 past the full hour but your search is looking back 24 hours, am i right?
So i when the scheduler is running the search at 0:42 you will find all events from the past 24 hours, if the search will run the next time at 1:42 it will also send you all the events from the past 24 hours, also the events which have been sent in the previous run at 0:42 with the exeption that the events between 0:42 and 1:42 are not included.. - you know that i mean? but you have overlaping timeranges, so events will be send multiple times. Change the time range to -1h or the cron only to run the search only once daily: for example 00 1 * * *
You run the search every 42 past the full hour but your search is looking back 24 hours, am i right?
So i when the scheduler is running the search at 0:42 you will find all events from the past 24 hours, if the search will run the next time at 1:42 it will also send you all the events from the past 24 hours, also the events which have been sent in the previous run at 0:42 with the exeption that the events between 0:42 and 1:42 are not included.. - you know that i mean? but you have overlaping timeranges, so events will be send multiple times. Change the time range to -1h or the cron only to run the search only once daily: for example 00 1 * * *