Alerting

How to throttle an alert using more than one field?

yemyslf
Path Finder

I am trying to setup a throttle on an alert for multiple fields. In the example below, I only want to throttle alerts that contain the same user and url so I should get an alert for all the events except Event 3. I know I could enter url or user in the "Suppress results containing field value" field but then it would suppress other events for that user or url when I only one to suppress the combination of the two. I found another answer where the answer was to use | eval throttle= user.url in the search and then set "throttle" as the alert suppression field. I do see the throttle as a field which has the combined fields, but it's the alert is responding like its not a valid field as I only get one alert until the throttle threshold is met.

Any ideas?

Event 1
user=Mickey@disney.com
url=www.disney.com

Event 2 
user=Mickey@disney.com
url=www.starwars.com

Event 3
user=Mickey@disney.com
url=www.disney.com

Event  4
user=Donald@disney.com
url=www.starwars.com
0 Karma
1 Solution

DalJeanis
Legend

If you want to turn off alerts for the same result change the Alert mode to Once per result which will enable a field called Per result throttling fields which is where you put user and url.

Per this page http://docs.splunk.com/Documentation/Splunk/6.1.1/Alert/Defineper-resultalerts#Set_up_throttling_for..., "The Suppress results with field value field accepts comma-delimited lists of multiple items."


Here's another strategy - a csv file (called myAlertThrottles.csv) that suppresses alerts, in this example for one hour.

your search that produces values to alert on 
| table user url 

| rename COMMENT as "This section calculates when to release this throttle, if it turns out to be a new alert."
| addinfo
| eval releasethrottle = relative_time (info_max_time,"+1h")

| rename COMMENT as "This section inputs the old set of throttles and rolls them together with the new ones."
| inputcsv append=t myAlertThrottles.csv
| stats min(info_max_time) as info_max_time, min(releasethrottle) as releasethrottle, max(releasethrottle) as newthrottle by user url


| rename COMMENT as "This section writes out the active and new throttles."
| appendpipe [| where releasethrottle > info_max_time | table user url releasethrottle | outputcsv append=f myAlertThrottles.csv| where false()]

| rename COMMENT as "Finally, we kill any records that are not new, and send the alert."
| where (releasethrottle==newthrottle) 
| table user url 

View solution in original post

DalJeanis
Legend

If you want to turn off alerts for the same result change the Alert mode to Once per result which will enable a field called Per result throttling fields which is where you put user and url.

Per this page http://docs.splunk.com/Documentation/Splunk/6.1.1/Alert/Defineper-resultalerts#Set_up_throttling_for..., "The Suppress results with field value field accepts comma-delimited lists of multiple items."


Here's another strategy - a csv file (called myAlertThrottles.csv) that suppresses alerts, in this example for one hour.

your search that produces values to alert on 
| table user url 

| rename COMMENT as "This section calculates when to release this throttle, if it turns out to be a new alert."
| addinfo
| eval releasethrottle = relative_time (info_max_time,"+1h")

| rename COMMENT as "This section inputs the old set of throttles and rolls them together with the new ones."
| inputcsv append=t myAlertThrottles.csv
| stats min(info_max_time) as info_max_time, min(releasethrottle) as releasethrottle, max(releasethrottle) as newthrottle by user url


| rename COMMENT as "This section writes out the active and new throttles."
| appendpipe [| where releasethrottle > info_max_time | table user url releasethrottle | outputcsv append=f myAlertThrottles.csv| where false()]

| rename COMMENT as "Finally, we kill any records that are not new, and send the alert."
| where (releasethrottle==newthrottle) 
| table user url 

yemyslf
Path Finder

Thanks for the response. Sorry for not responding sooner as I've been tied up with other projects. I'll give this a shot and report back.

So I take it combining the fields as I had done using the eval statement and using that field as the throttle is not possible?

0 Karma

DalJeanis
Legend

You should be able to do this using the once per result option, per instructions in @woodcock's answer here -

https://answers.splunk.com/answers/295856/throttle-alerts-based-on-field-value.html

Updated this answer using a minor modification of his wording.

0 Karma

yemyslf
Path Finder

Thanks, I was aware of that field but for some reason, I thought separating the different fields with a comma would sever as an OR instead of AND.

So I ended up just entering user,url in the "Suppress results containing field value" box. This supressed events where the User AND URL were the same.

Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...