I've found in another post that maybe throttling would work, i'm sure it will work, but it's not what i'm looking for.
for example:
i've got an alert running every 5 minutes
at 10:00 PM the server is down -> an ERROR in a log file
so we get an alert at splunk
i look at it and fix the problem -> delete ERROR in the log file
so at 10:05 PM i shouldn't get an alert because the ERROR is gone (and assuming i get the problem fixed in less than 5 minutes...)
Everything works, except the last part, when i delete the ERROR in the log file, i still get the alert, so i looked further and there were still ERRORs in the SEARCH, so i deleted them, but i still get the alert even every ERROR is gone...
Am I doint something wrong? Or am i missing something?
Thx
... View more