At the bottom of any rule setup window, there is an option to stop processing after the rule has been applied.
Every alert sent to Splunk On-Call, runs through the list of rules from top to bottom before reaching the timeline. This check box allows you to stop an alert from continuing to process through subsequent rules. This has performance advantages (speeds up processing of the alert) and allows you to prevent subsequent rules from overwriting the current rule after it has acted upon the alert.
Feedback submitted, thank you! We resolve documentation feedback based on the severity of the issue reported, as well as an assessment of the potential number of customers who might be affected.
If you have a question about using Splunk software, we encourage you to check Splunk Answers or Splunk community Slack to see if similar questions have been answered, or to post your question for others to answer. If you have an active support entitlement and believe that your situation is caused by a product defect, file a support case in the Support portal https://login.splunk.com/page/sso_redirect?type=portal.
We are currently moving to a new documentation site. Expect a delay in responding to your feedback and applying any updates based on your feedback. Thank you for your patience and understanding while we work to bring you an improved documentation experience!
