https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Account-Lockout/m-p/651548#M16877 <P>Use a field name that uniquely identifies the specific alert you wish to throttle.&nbsp; In this case, that field would be Account_Name since you don't want repeated alerts for users.</P> Fri, 21 Jul 2023 19:15:06 GMT richgalloway 2023-07-21T19:15:06Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Account-Lockout/m-p/650803#M16845 <P>I have just configured Splunk and I have alert running for locked account.</P><P>It keep generating multiple entries from per lockout account&nbsp;</P><P>So I want to generate one message incase of account get locked</P><P>&nbsp;</P><P>index=wineventlog source="WinEventLog:Security" sourcetype=WinEventLog action=failure Account_Name="*" user="*" AND "taskcategory=Account Lockout"</P> Mon, 17 Jul 2023 10:44:33 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Account-Lockout/m-p/650803#M16845 OsmanElyas 2023-07-17T10:44:33Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Account-Lockout/m-p/650870#M16849 <P>What you want is to throttle the alert.&nbsp; Throttling prevents the alert from firing too often.&nbsp; To turn on throttling, edit the alert and check the box labled "Thottle" then specify how long you want Splunk to wait before firing the alert again.</P> Mon, 17 Jul 2023 16:17:57 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Account-Lockout/m-p/650870#M16849 richgalloway 2023-07-17T16:17:57Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Account-Lockout/m-p/650932#M16855 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp; Thank you for the guide I am still facing small issue&nbsp;</P><P>what should be in the filed&nbsp;Suppress results containing field value when I click on throttle.</P><P>&nbsp;</P><DIV class="">&nbsp;</DIV> Tue, 18 Jul 2023 06:35:04 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Account-Lockout/m-p/650932#M16855 OsmanElyas 2023-07-18T06:35:04Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Account-Lockout/m-p/651548#M16877 <P>Use a field name that uniquely identifies the specific alert you wish to throttle.&nbsp; In this case, that field would be Account_Name since you don't want repeated alerts for users.</P> Fri, 21 Jul 2023 19:15:06 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Account-Lockout/m-p/651548#M16877 richgalloway 2023-07-21T19:15:06Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Account-Lockout/m-p/651675#M16892 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp; Much appreciate your support, I have implemented the report.</P> Mon, 24 Jul 2023 06:43:47 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Account-Lockout/m-p/651675#M16892 OsmanElyas 2023-07-24T06:43:47Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Account-Lockout/m-p/651761#M16900 <P>If your problem is resolved, then please click the "Accept as Solution" button to help future readers.</P> Mon, 24 Jul 2023 12:48:09 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Account-Lockout/m-p/651761#M16900 richgalloway 2023-07-24T12:48:09Z