I am trying to configure a real time alert that will fire off one alert for each event found in a search. I want one alert per event, which i think i can do. the catch is i only want this to happen when there are 10 or more events in a specified time window (like 10 or more events in 5 mins).
I tried setting up a realtime alert with the following parameters, but it seems like the results aren't consistent. am i doing this completely wrong?
(basically just searching an index for alerts, this index shouldn't have many but i want to know when there are 10 or more events in 5 mins and what each one is)
Search: index=test
Trigger Condition: Number of results > 10, in 5 min, trigger for each result
This requires a throttle, but i dont want one so i set the field to one that wouldnt exist and the smallest suppression timer.
Throttle: suppression field = "none"
suppress triggering for 1 sec
Thanks,
splunk noob
... View more