Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create alert for each new events

Naa_Win
Path Finder
3 weeks ago

Hello Team,

I have a error data coming to index (we filtered to send only error logs to this index ), I wanted to create an alert when ever there is any new events coming to that index and don't want to send the duplicate alert. 

index=error_idx sourcetype=error_srctyp
Labels (2)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
3 weeks ago

Hi @Naa_Win ,

you have to define the frequency of your alert and run a simple search scheduled on the above frequency, if e.g. you want to run your alert every 5 minutes, you should run a search like the following:

index=error_idx sourcetype=error_srctyp earliest=-5m@m latest=@m

if you have events the alert triggers.

choosing a defined period you are sure that the alert triggers only one time on events.

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

It seems a bit like an overkill to use Splunk for this if all you send are errors. 😉

But anyway, you should just search for events with continuous scheduling and you're set (just take into account possible delay in indexing).

0 Karma
Reply

Naa_Win
Path Finder
3 weeks ago

@gcusello   @PickleRick Thank you for the reply.

We are sending data from application console to splunk through syslog and they define to send only error logs from their console.

So If I schedule to run at 15 mins frequency and 15 time range. Will there be any chance of missing events to be triggered. Our intention to get alert when ever there is new event and shouldn't repeat the same event in the alert. 

 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

There is always a chance of missing the event in some circumstances. For example if there is a huge lag due to some network outage or something similar and you get your events indexed with several hours delay you won't find them when you're searching for recent events.

But you can minimise the risk. The typical approach is to search every - let's say 15 minutes - over a "slightly delayed" window. For example - you search from 16 minutes ago to 1 minute ago. Or 17-2, depending on your typical ingestion latency.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...