https://community.splunk.com/t5/Alerting/How-to-throttle-email-alerts-on-multiple-unique-values-from-one/m-p/149785#M2441 <P>Hello Everyone,</P> <P>Unfortunately I may not be thinking outside of the box far enough for this one. Essentially a search is ran to identify a "critical" value within a "threat level" field, and from that search we alert based on the "attack name" field. The issue I am coming across is when creating the alert action, suppression (throttling) is based on the entire search. So in the event that 1 "attack name" out of 1,000 triggers the alert, it is suppressed for example 4 hours. This is an issue because I would like to alert for any attack name and only suppress if the attack name is identical. Without creating a alert for every single "attack name".</P> <P>Assume 3 events are logged</P> <P>1) 12:10 - Threat Level = Critical ; Attack Name = 123 (Alert via email)<BR /> 2) 12:30 - Threat Level = Critical ; Attack Name = 654 (Alert via email)<BR /> 3) 12:50 - Threat Level = Critical ; Attack Name = 123 (No alert, suppressed by event 1)<BR /> 4) 12:54 - Threat Level = High ; Attack Name = 921 (No alert, threat level not = to Critical)</P> <P>Thoughts and Ideas? </P> <P>Thanks,<BR /> Justin</P> Thu, 02 Oct 2014 17:35:03 GMT jstaley 2014-10-02T17:35:03Z https://community.splunk.com/t5/Alerting/How-to-throttle-email-alerts-on-multiple-unique-values-from-one/m-p/149785#M2441 <P>Hello Everyone,</P> <P>Unfortunately I may not be thinking outside of the box far enough for this one. Essentially a search is ran to identify a "critical" value within a "threat level" field, and from that search we alert based on the "attack name" field. The issue I am coming across is when creating the alert action, suppression (throttling) is based on the entire search. So in the event that 1 "attack name" out of 1,000 triggers the alert, it is suppressed for example 4 hours. This is an issue because I would like to alert for any attack name and only suppress if the attack name is identical. Without creating a alert for every single "attack name".</P> <P>Assume 3 events are logged</P> <P>1) 12:10 - Threat Level = Critical ; Attack Name = 123 (Alert via email)<BR /> 2) 12:30 - Threat Level = Critical ; Attack Name = 654 (Alert via email)<BR /> 3) 12:50 - Threat Level = Critical ; Attack Name = 123 (No alert, suppressed by event 1)<BR /> 4) 12:54 - Threat Level = High ; Attack Name = 921 (No alert, threat level not = to Critical)</P> <P>Thoughts and Ideas? </P> <P>Thanks,<BR /> Justin</P> Thu, 02 Oct 2014 17:35:03 GMT https://community.splunk.com/t5/Alerting/How-to-throttle-email-alerts-on-multiple-unique-values-from-one/m-p/149785#M2441 jstaley 2014-10-02T17:35:03Z https://community.splunk.com/t5/Alerting/How-to-throttle-email-alerts-on-multiple-unique-values-from-one/m-p/149786#M2442 <P>I found my answer to this. When specifying a action for a alert you must select the "Action Options" "When triggered, execute actions for each result". Select throttle, and specify the fields you want to suppress. ,Found my answer for this.</P> <OL> <LI>Modify the Action within the Alert.</LI> <LI>Under "Action Options" select "When triggered, execute actions - For each result"</LI> <LI>Select the "Throttle" check box.</LI> <LI>Suppress results containing field value (I specified "Attack Name" for the above example)</LI> <LI>Save</LI> </OL> Mon, 06 Oct 2014 19:44:45 GMT https://community.splunk.com/t5/Alerting/How-to-throttle-email-alerts-on-multiple-unique-values-from-one/m-p/149786#M2442 jstaley 2014-10-06T19:44:45Z https://community.splunk.com/t5/Alerting/How-to-throttle-email-alerts-on-multiple-unique-values-from-one/m-p/149787#M2443 <P>Your answer came up when I was trying to understand how the <EM>Suppress triggering for</EM> options works in conjunction with the <EM>Suppress results containing field value</EM>.</P> <P>My understanding is that whatever comma-delimited list of fields you list in the <EM>Suppress results containing field value</EM> text input, if data hasn't changed in those fields since the last alert, don't re-alert.</P> <P>My application of this is to have a single alert across a large number of hosts for a specific event, using the host as the <EM>Suppress results containing field value</EM> field, which I'm hoping will prevent recurring alerts from a single host, but allow other hosts to still trigger notifications.</P> Wed, 22 Aug 2018 17:15:10 GMT https://community.splunk.com/t5/Alerting/How-to-throttle-email-alerts-on-multiple-unique-values-from-one/m-p/149787#M2443 dijikul 2018-08-22T17:15:10Z https://community.splunk.com/t5/Alerting/How-to-throttle-email-alerts-on-multiple-unique-values-from-one/m-p/149788#M2444 <P>That sounds correct according to the <A href="https://docs.splunk.com/Documentation/Splunk/latest/Alert/ThrottleAlerts">Alerting Manual - Throttle Alerts</A> guide.</P> <P>Though in addition to your use case above for events, i.e. Event #4 "(No alert, threat level not = to Critical)" you would just need your Alert search query to include: <CODE>|search "Threat Level" = "Critical"</CODE> to filter only those events to alert on.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/latest/Alert/ThrottleAlerts">https://docs.splunk.com/Documentation/Splunk/latest/Alert/ThrottleAlerts</A></P> Sat, 06 Apr 2019 06:08:17 GMT https://community.splunk.com/t5/Alerting/How-to-throttle-email-alerts-on-multiple-unique-values-from-one/m-p/149788#M2444 bwlm 2019-04-06T06:08:17Z