Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I email just the first occurrence of a repeated identical event?

mtischler
New Member
‎04-10-2018 06:20 AM

We are using Splunk to monitor some endpoint protection software via the windows application event log. The problem is that the software generates the same event every time an endpoint is restarted and we are getting swamped with nuisance emails. Is there a way that we can limit the emails to just one for each unique event message? Can a lookup table of triggered alerts be used to inhibit the triggering of a previously alerted repeated event? Can a script be created to check the contents of a lookup table so that only unique events are emailed?

Our alert query is currently:
Search: sourcetype="wineventlog:applicatioin" SourceName=xxxxxxxxx Message="A new threat*"

Ideally I want one email for each unique Message and no subsequent emails for identical Messages.

Thank you for your help.

0 Karma
Reply

p_gurav
Champion
‎04-10-2018 06:37 AM

You can used something called throttling alert. Refer below document where you can specify field on which throttling is based on:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Alert/ThrottleAlerts

0 Karma
Reply

mtischler
New Member
‎04-10-2018 08:10 AM

Thank you. I am reviewing this documentation now. Can I set the throttle time to 1 year? I would like to throttle on Sha256 signature. I cannot throttle by the Message because I need an email notification in the event of another new threat message.

0 Karma
Reply
Get Updates on the Splunk Community!

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

Splunk New Course Releases for a Changing World

Every day, the world feels like it’s moving faster with new technological breakthroughs, AI innovation, and ...