Alerting

Alert notifications being incorrectly suppressed

L1mLam
Observer

I have the following results returned by a search query:

_time                                                        Id1                          Id2
2021-10-13 08:20:22.219     ABC471_1       8456
2021-10-13 08:20:21.711     ABC471_8       8463
2021-10-13 08:20:16.112     ABC471_3       8458

However, I only receive an alert notification for the first result.

My alert configuration is set up as follows:

Settings
Alert type                     Scheduled
Time Range                Today
Cron Expression      */5****
Expires                           24 hours

Trigger Conditions
Number of Results              >0
Trigger                                         For each result
Throttle                                       Ticked
Suppress results
containing field value       Id2=$result.Id2$
Suppress triggering for   24 hours

Trigger Actions
Add to Triggered Alerts
Send email

I am expecting 3 emails to be generated for each of my search query results given that I am suppressing on Id2 which is different in each case.  However, I am just receiving the one alert as stated above.

Can anyone advise me what I am dong wrong in this case?

Thanks

Labels (1)
0 Karma

PradReddy
Path Finder

Hi L1mLam,

Just use field name in this option and it will work

PradReddy_0-1635098289890.png


More information around alert suppression configuration attributes can be found here - https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Savedsearchesconf#alert_suppression.2Fsever...


alert.suppress.fields = <comma-delimited-field-list>
* List of fields to use when suppressing per-result alerts. This field *must*
be specified if the digest mode is disabled and suppression is enabled.
* Default: empty string.

 

------

An upvote would be appreciated and Accept Solution if it helps!

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...