You probably should try two transaction commands in sequence, with different constraints. The first one will collect all the reserve events with the same user_id and loc, but will not add events to the transaction if they occurred more than 5 minutes away from any other event. You use maxpause instead of maxspan. You probably need to keep evicted and orphaned transactions so all events are still available for the second transaction. For the first transaction we only want "Reserve" events to be merged. The second transaction merges the "Leave" and "Reserve" events | transaction user_id loc action startswith="Reserve" endswith="Reserve" maxpause=5m keepevicted=true keeporphans=true | transaction user_id loc startswith="Reserve" endswith="Leave" maxevents=2 The maxevents=2 is important so that the Reserve events > 5 minutes early, that were separated out by the first transaction, don't get added back into the second transaction. ... View more

Under the green search magnifying glass, click on the "Fast Mode" and when the menu opens up, choose "Verbose Mode". It might fix the problem. ... View more

I tried changing the index and it did not help. I think the problem is more likely a start time error. Edit the input and try a more recent "Start Time" field value. I kept getting the same errors when I configured a start time 75 days ago. I changed the start time to 15 days ago and still got the same errors. I then changed the start value to 4 hours previously and events finally started coming in; no more errors. ... View more

I have gotten the same emails from DUO and I was wondering the exact same thing. ... View more

There are two different Salesforce apps. One is called the "AddOn", the other is called the "App". The documentation you are reading is from the AddOn, but the screenshot you are showing is from the App. The AddOn is for collecting the data, while the app is for displaying it in dashboards, etc. See: https://splunkbase.splunk.com/app/1931/ and https://splunkbase.splunk.com/app/3549/ ... View more

I posted a solution to this general problem here: https://answers.splunk.com/answers/337985/throttle-alert-once-per-day.html In short, the search string I used to trigger once a day alerting when over the license limit is this: | rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "Percentage of daily license limit used"=round(used_bytes/quota*100,2) | eval "Alert time"=strftime(now(), "%T %Z") | eval alert_count_today=[search index=_internal sourcetype=scheduler thread_id=AlertNotifier* savedsearch_name="License Limit Exceeded: Over 100% Usage" earliest=@d | where alert_actions!="" | stats count | return($count)] | where 'Percentage of daily license limit used' > 100 and alert_count_today = 0 | fields "Alert time" "Percentage of daily license limit used" For more details see the original post. ... View more

I had this same problem and I have not found a good answer on the forums. I finally solved it, so for others who are struggling with how to throttle an alert until the next day, here is my solution. First, don't tick the Throttle checkbox in Alerts. Instead, find out whether an alert has already been triggered for the day with a subsearch. Use the subsearch as a function that returns the value of the number of previously triggered alerts for the day. If you have not yet had an alert for the day, it will return 0, so if the alert conditions are true and alerts_for_the_day=0 then you fire the alert, otherwise no. Here is an example for checking for when you are over the license limit where the name of the alert is "License Limit Exceeded: Over 100% Usage": | rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "Percentage of daily license limit used"=round(used_bytes/quota*100,2) | eval "Alert time"=strftime(now(), "%T %Z") | eval alert_count_today=[search index=_internal sourcetype=scheduler thread_id=AlertNotifier* savedsearch_name="License Limit Exceeded: Over 100% Usage" earliest=@d | where alert_actions!="" | stats count | return($count)] | where 'Percentage of daily license limit used' > 100 and alert_count_today = 0 | fields "Alert time" "Percentage of daily license limit used" Essentially here is the format: ---enter your basic alert conditions--- | eval alert_count_today=[search index=_internal sourcetype=scheduler thread_id=AlertNotifier* savedsearch_name=---enter the name of your alert here--- earliest=@d | where alert_actions!="" | stats count | return($count)] | where ---your basic alert triggers are evaluated--- and alert_count_today = 0 | fields ---list the fields you want displayed in the event--- The key to making this work is understanding the event that is created every time a scheduled alert is run. The first part of the subsearch finds the alert events. In every alert event Splunk creates a field "alert_actions". If the alert is not triggered the value of alert_actions is set to an empty string. Hence the expression 'where alert_actions!=""' will only find events where an alert actually did get triggered. The "count" variable will be "0" when no alert has been triggered so far in the day, otherwise it will be "1". So if we return the value of the count variable and set the variable alert_count_today equal to the returned result, we now know whether an alert has been triggered or not. In the case of the 300 guests, you just need to insert "where No_Of_Guests_Enrolled_in_a_day>=300 and alert_count_today=0" towards the end of the search string along with the initial search string, saved_search_name, and output fields. ... View more