Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alert notifications being incorrectly suppressed

L1mLam
Observer
‎10-13-2021 04:52 AM

I have the following results returned by a search query:

_time                                                        Id1                          Id2
2021-10-13 08:20:22.219     ABC471_1       8456
2021-10-13 08:20:21.711     ABC471_8       8463
2021-10-13 08:20:16.112     ABC471_3       8458

However, I only receive an alert notification for the first result.

My alert configuration is set up as follows:

Settings
Alert type                     Scheduled
Time Range                Today
Cron Expression      */5****
Expires                           24 hours

Trigger Conditions
Number of Results              >0
Trigger                                         For each result
Throttle                                       Ticked
Suppress results
containing field value       Id2=$result.Id2$
Suppress triggering for   24 hours

Trigger Actions
Add to Triggered Alerts
Send email

I am expecting 3 emails to be generated for each of my search query results given that I am suppressing on Id2 which is different in each case.  However, I am just receiving the one alert as stated above.

Can anyone advise me what I am dong wrong in this case?

Thanks

Labels (1)
Labels
0 Karma
Reply

PradReddy
Path Finder
‎10-24-2021 11:01 AM

Hi L1mLam,

Just use field name in this option and it will work

PradReddy_0-1635098289890.png


More information around alert suppression configuration attributes can be found here - https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Savedsearchesconf#alert_suppression.2Fsever...


alert.suppress.fields = <comma-delimited-field-list>
* List of fields to use when suppressing per-result alerts. This field *must*
be specified if the digest mode is disabled and suppression is enabled.
* Default: empty string.

 

------

An upvote would be appreciated and Accept Solution if it helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...