Quantcast
Channel: Questions in topic: "splunk-enterprise"
Viewing all articles
Browse latest Browse all 47296

In real-time alert, if I use lookup command, too many alerts triggered.

$
0
0
Splunk ver 7.1.1 I'm using real-time alert that trigger when there is event which has src_ip match black_list.csv like below. index=hogehoge | lookup black_list.csv src OUTPUT status | where isnotnull(status) | table _time src status But if there is such a event, this alert is continuously triggered per 5 seconds against same event! I think it caused by `lookup` command touches every event again, when new event is arrived. Should not I use `lookup` in real-time alert? And is it specification? * If this is written in the document, I'm sorry .... Please someone help me.

Viewing all articles
Browse latest Browse all 47296

Trending Articles