Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
236 views
in Technique[技术] by (71.8m points)

Splunk: Why didn't I get another alert email?

I configured the following query:

someQuery | timechart partial=f span=5m count as numbers | fillnull | streamstats current=f last(numbers) as last_numbers | eval ratio = numbers/last_numbers | where ratio>2.5 OR ratio < 0.5 OR numbers < 51

For which I programmed an alert in Splunk. The alert conditions were fullfilled from 03.31 a.m. until 05.45 a.m.

I configured the alert as follows:

The alert type is scheduled. It runs on Cron Schedule. The Time Range are the last 12 minutes. Cron Expression is */10 ****. It expires in 24 hours. The alert is triggered when the Number of Results is greater than 0. Trigger is set to Once. Throttle is checked and Supresses triggering for 1 hour(s). When triggered an email is sent.

What I would have expected from this configuration is to get an alert email at 03:40 a.m., at 04:40 a.m. and at 05:40 a.m.

What I instead received were mails at 03.40 a.m. (which is expected) and at 05.50 a.m. (what is not expected). I do not understand, what I configured wrong. But I think it is either due to the throttling or maybe due to the time range of 12 minutes?

Could you tell me what I have to change in order to get the alert mails how I would expect to get them?

question from:https://stackoverflow.com/questions/65843104/splunk-why-didnt-i-get-another-alert-email

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)
Waitting for answers

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...