Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alert notifications being incorrectly suppressed

L1mLam
Observer
‎10-13-2021 04:52 AM

I have the following results returned by a search query:

_time                                                        Id1                          Id2
2021-10-13 08:20:22.219     ABC471_1       8456
2021-10-13 08:20:21.711     ABC471_8       8463
2021-10-13 08:20:16.112     ABC471_3       8458

However, I only receive an alert notification for the first result.

My alert configuration is set up as follows:

Settings
Alert type                     Scheduled
Time Range                Today
Cron Expression      */5****
Expires                           24 hours

Trigger Conditions
Number of Results              >0
Trigger                                         For each result
Throttle                                       Ticked
Suppress results
containing field value       Id2=$result.Id2$
Suppress triggering for   24 hours

Trigger Actions
Add to Triggered Alerts
Send email

I am expecting 3 emails to be generated for each of my search query results given that I am suppressing on Id2 which is different in each case.  However, I am just receiving the one alert as stated above.

Can anyone advise me what I am dong wrong in this case?

Thanks

Labels (1)
Labels
0 Karma
Reply

PradReddy
Path Finder
‎10-24-2021 11:01 AM

Hi L1mLam,

Just use field name in this option and it will work

PradReddy_0-1635098289890.png


More information around alert suppression configuration attributes can be found here - https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Savedsearchesconf#alert_suppression.2Fsever...


alert.suppress.fields = <comma-delimited-field-list>
* List of fields to use when suppressing per-result alerts. This field *must*
be specified if the digest mode is disabled and suppression is enabled.
* Default: empty string.

 

------

An upvote would be appreciated and Accept Solution if it helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...