https://community.splunk.com/t5/Splunk-Search/Help-with-the-search-for-a-reassigned-alert/m-p/633343#M220017 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/227250">@Tom_Lundie</a>&nbsp;&nbsp;</P><P>Hi,</P><P>A)Why&nbsp; we have taken "-30min"&nbsp;</P><P>B) do we need to add the previous founddate values in the lookup table.</P><P>C) why the throttle duration is 5 years ?</P><P>&nbsp;</P><P>Thanks..</P> Sun, 05 Mar 2023 20:22:02 GMT AL3Z 2023-03-05T20:22:02Z https://community.splunk.com/t5/Splunk-Search/Help-with-the-search-for-a-reassigned-alert/m-p/633195#M219958 <P>Hi, Need a search for the below scenario,</P><DIV><P>If a previously assigned alert is reassigned to a different user on the portal, it will trigger a new alert because the updated time is considered in the cs. For example, with alert&nbsp; was initially detected on the&nbsp; portal&nbsp; However, when I reassigned the alert to myself last week, a new alert was generated based on the updated time field.</P><P><SPAN>Thanks</SPAN></P></DIV> Tue, 07 Mar 2023 15:12:01 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-the-search-for-a-reassigned-alert/m-p/633195#M219958 AL3Z 2023-03-07T15:12:01Z https://community.splunk.com/t5/Splunk-Search/Help-with-the-search-for-a-reassigned-alert/m-p/633336#M220013 <P>You can throttle the Correlation Search.<BR /><BR />You can read more about throttling <A href="https://docs.splunk.com/Documentation/ES/7.1.0/Admin/Configurecorrelationsearches#Throttle_the_number_of_response_actions_generated_by_a_correlation_search" target="_self">here</A>. You could throttle by _id for a sufficient enough time to stop the alerts from re-firing.<BR /><BR /><BR /></P> Sun, 05 Mar 2023 17:47:32 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-the-search-for-a-reassigned-alert/m-p/633336#M220013 Tom_Lundie 2023-03-05T17:47:32Z https://community.splunk.com/t5/Splunk-Search/Help-with-the-search-for-a-reassigned-alert/m-p/633337#M220014 <P>Hi&nbsp;</P><P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/227250">@Tom_Lundie</a>&nbsp;</P><P>Could you pls help me with the search with the founddate.</P> Sun, 05 Mar 2023 18:05:59 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-the-search-for-a-reassigned-alert/m-p/633337#M220014 AL3Z 2023-03-05T18:05:59Z https://community.splunk.com/t5/Splunk-Search/Help-with-the-search-for-a-reassigned-alert/m-p/633338#M220015 <P>There are three options that I can see here, you can either:<BR />a) Make sure that the foundDate occured since the last CS-run so that the CS only ever fires for new events.</P><LI-CODE lang="markup">| eval founddate_ts = strptime(foundDate, "%Y-%m-%dT%H:%M:%S.%fZ") | where founddate_ts &gt; relative_time(now(), "-30min")</LI-CODE><P>b) Maintain a lookup of fired alerts so that the same alert doesn't twice.</P><LI-CODE lang="markup">| eval id = _id | search NOT [| inputlookup example_lookup | fields id | format] | appendpipe [| fields id, _time | outputlookup append=t example_lookup]</LI-CODE><P>&nbsp;c) Throttle the alerts via the CS Configuration:<BR />Throttle Duration: Five Years<BR />Fields to Group By: _id<BR /><BR /><BR />All three of these have pros / cons, so please experiment with these ideas to see what is right for you and your team.</P> Sun, 05 Mar 2023 18:38:36 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-the-search-for-a-reassigned-alert/m-p/633338#M220015 Tom_Lundie 2023-03-05T18:38:36Z https://community.splunk.com/t5/Splunk-Search/Help-with-the-search-for-a-reassigned-alert/m-p/633343#M220017 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/227250">@Tom_Lundie</a>&nbsp;&nbsp;</P><P>Hi,</P><P>A)Why&nbsp; we have taken "-30min"&nbsp;</P><P>B) do we need to add the previous founddate values in the lookup table.</P><P>C) why the throttle duration is 5 years ?</P><P>&nbsp;</P><P>Thanks..</P> Sun, 05 Mar 2023 20:22:02 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-the-search-for-a-reassigned-alert/m-p/633343#M220017 AL3Z 2023-03-05T20:22:02Z https://community.splunk.com/t5/Splunk-Search/Help-with-the-search-for-a-reassigned-alert/m-p/633403#M220038 <P>A)Why&nbsp; we have taken "-30min"&nbsp;<BR />This was just an example, ideally this value would match your CS scheduling window (factoring in event lag and search lag).</P><P>B) do we need to add the previous founddate values in the lookup table.<BR />No, just the _id (as id in my example).</P><P>C) why the throttle duration is 5 years ?<BR />This was an example that should be sufficiently long enough.<BR /><BR />All just example ideas for you to experiment with to see which one works.</P> Mon, 06 Mar 2023 10:43:08 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-the-search-for-a-reassigned-alert/m-p/633403#M220038 Tom_Lundie 2023-03-06T10:43:08Z