Too many emails & data

hxa27 · ‎03-07-2014

Hi,
I actually, I have two questions on the same query search.

1- I was able to monitor the folder I want instead of the log files, but my problem is when I run the search again; I still see the files I deleted earlier plus the new files I added. I don't know why they still show???!!!!!!

2- On the same search, I sat up a real time alert to send me an email if the condition has met, which is what I get. That's great but the problem is I receive 19 to 20 emails for the same file because the real time alert runs every minute and it gives me all the files which met the condition even if it the same files. Is there a way to make splunk to send only one email for the new file ?? Any suggestion will be helpful

Thanks in advance

emiller42 · ‎03-07-2014

1) Once something is indexed in Splunk, it's in Splunk. Changing the monitor settings doesn't delete the data from your index. Deleting the old files doesn't delete the data from your index. You can selectively delete data from Splunk, but that only removes it from search results, not from the index itself. (So it doesn't free disk space or anything) Generally this isn't recommended. You can find out more about the delete command here

2) You probably don't want a real-time alert here. It would be much better to set up an alert with a short interval that only searches within that interval. So set up your search to look at the past 5 minutes, and then run every 5 minutes. It'll only trigger on new events, as you don't look at the same span of data twice. It also won't monopolize a CPU to keep a realtime search running.

Too many emails & data

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases