Hello Everyone,
Unfortunately I may not be thinking outside of the box far enough for this one. Essentially a search is ran to identify a "critical" value within a "threat level" field, and from that search we alert based on the "attack name" field. The issue I am coming across is when creating the alert action, suppression (throttling) is based on the entire search. So in the event that 1 "attack name" out of 1,000 triggers the alert, it is suppressed for example 4 hours. This is an issue because I would like to alert for any attack name and only suppress if the attack name is identical. Without creating a alert for every single "attack name".
Assume 3 events are logged
1) 12:10 - Threat Level = Critical ; Attack Name = 123 (Alert via email)
2) 12:30 - Threat Level = Critical ; Attack Name = 654 (Alert via email)
3) 12:50 - Threat Level = Critical ; Attack Name = 123 (No alert, suppressed by event 1)
4) 12:54 - Threat Level = High ; Attack Name = 921 (No alert, threat level not = to Critical)
Thoughts and Ideas?
Thanks,
Justin
I found my answer to this. When specifying a action for a alert you must select the "Action Options" "When triggered, execute actions for each result". Select throttle, and specify the fields you want to suppress. ,Found my answer for this.
I found my answer to this. When specifying a action for a alert you must select the "Action Options" "When triggered, execute actions for each result". Select throttle, and specify the fields you want to suppress. ,Found my answer for this.
That sounds correct according to the Alerting Manual - Throttle Alerts guide.
Though in addition to your use case above for events, i.e. Event #4 "(No alert, threat level not = to Critical)" you would just need your Alert search query to include: |search "Threat Level" = "Critical"
to filter only those events to alert on.
https://docs.splunk.com/Documentation/Splunk/latest/Alert/ThrottleAlerts
Your answer came up when I was trying to understand how the Suppress triggering for options works in conjunction with the Suppress results containing field value.
My understanding is that whatever comma-delimited list of fields you list in the Suppress results containing field value text input, if data hasn't changed in those fields since the last alert, don't re-alert.
My application of this is to have a single alert across a large number of hosts for a specific event, using the host as the Suppress results containing field value field, which I'm hoping will prevent recurring alerts from a single host, but allow other hosts to still trigger notifications.