Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Trigger alert for first 3 times and then suppress the consecutive alerts

ksubramanian198
Engager
‎07-18-2018 05:01 AM

Hi,
I have scheduled a Splunk alert to be executed for every 1 minute, if it matches my search condition for last 10 minutes events, then this will trigger an alert once. Throttle time is set as 8 minutes.
I would like to trigger 3 consecutive alerts and then throttle for 8 minutes, currently it triggers alert once and throttling for 8 minutes. Please let me know if there is a way achieve this.

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-18-2018 06:30 AM

You can dump your conditions into a lookup and then create an independent caretaker/housekeeping/alerting search to clean it. Like this:

Your Current Alerting Search
| table _time Other Stuff Here
| outputlookup append=true YourLookup
| where ThisFIeldWillNeverExists=="So this line drops all current events"
| inputlookup append=true YourLookup
| eventstats count
| where count<=YourThrottlingLimitHere

Then you schedule your other search to do something like this:

|inputlookup YourLookup
| where _time <= relative_time(now, "-10m")
| outputlookup YourLookup

Tune to your liking but you get the idea.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...