Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alert notifications being incorrectly suppressed

L1mLam
Observer
‎10-13-2021 04:52 AM

I have the following results returned by a search query:

_time                                                        Id1                          Id2
2021-10-13 08:20:22.219     ABC471_1       8456
2021-10-13 08:20:21.711     ABC471_8       8463
2021-10-13 08:20:16.112     ABC471_3       8458

However, I only receive an alert notification for the first result.

My alert configuration is set up as follows:

Settings
Alert type                     Scheduled
Time Range                Today
Cron Expression      */5****
Expires                           24 hours

Trigger Conditions
Number of Results              >0
Trigger                                         For each result
Throttle                                       Ticked
Suppress results
containing field value       Id2=$result.Id2$
Suppress triggering for   24 hours

Trigger Actions
Add to Triggered Alerts
Send email

I am expecting 3 emails to be generated for each of my search query results given that I am suppressing on Id2 which is different in each case.  However, I am just receiving the one alert as stated above.

Can anyone advise me what I am dong wrong in this case?

Thanks

Labels (1)
Labels
0 Karma
Reply

PradReddy
Path Finder
‎10-24-2021 11:01 AM

Hi L1mLam,

Just use field name in this option and it will work

PradReddy_0-1635098289890.png


More information around alert suppression configuration attributes can be found here - https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Savedsearchesconf#alert_suppression.2Fsever...


alert.suppress.fields = <comma-delimited-field-list>
* List of fields to use when suppressing per-result alerts. This field *must*
be specified if the digest mode is disabled and suppression is enabled.
* Default: empty string.

 

------

An upvote would be appreciated and Accept Solution if it helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...