Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alert notifications being incorrectly suppressed

L1mLam
Observer
‎10-13-2021 04:52 AM

I have the following results returned by a search query:

_time                                                        Id1                          Id2
2021-10-13 08:20:22.219     ABC471_1       8456
2021-10-13 08:20:21.711     ABC471_8       8463
2021-10-13 08:20:16.112     ABC471_3       8458

However, I only receive an alert notification for the first result.

My alert configuration is set up as follows:

Settings
Alert type                     Scheduled
Time Range                Today
Cron Expression      */5****
Expires                           24 hours

Trigger Conditions
Number of Results              >0
Trigger                                         For each result
Throttle                                       Ticked
Suppress results
containing field value       Id2=$result.Id2$
Suppress triggering for   24 hours

Trigger Actions
Add to Triggered Alerts
Send email

I am expecting 3 emails to be generated for each of my search query results given that I am suppressing on Id2 which is different in each case.  However, I am just receiving the one alert as stated above.

Can anyone advise me what I am dong wrong in this case?

Thanks

Labels (1)
Labels
0 Karma
Reply

PradReddy
Path Finder
‎10-24-2021 11:01 AM

Hi L1mLam,

Just use field name in this option and it will work

PradReddy_0-1635098289890.png


More information around alert suppression configuration attributes can be found here - https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Savedsearchesconf#alert_suppression.2Fsever...


alert.suppress.fields = <comma-delimited-field-list>
* List of fields to use when suppressing per-result alerts. This field *must*
be specified if the digest mode is disabled and suppression is enabled.
* Default: empty string.

 

------

An upvote would be appreciated and Accept Solution if it helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...