Alerting

How to throttle email alerts on multiple unique values from one field?

jstaley
Explorer

Hello Everyone,

Unfortunately I may not be thinking outside of the box far enough for this one. Essentially a search is ran to identify a "critical" value within a "threat level" field, and from that search we alert based on the "attack name" field. The issue I am coming across is when creating the alert action, suppression (throttling) is based on the entire search. So in the event that 1 "attack name" out of 1,000 triggers the alert, it is suppressed for example 4 hours. This is an issue because I would like to alert for any attack name and only suppress if the attack name is identical. Without creating a alert for every single "attack name".

Assume 3 events are logged

1) 12:10 - Threat Level = Critical ; Attack Name = 123 (Alert via email)
2) 12:30 - Threat Level = Critical ; Attack Name = 654 (Alert via email)
3) 12:50 - Threat Level = Critical ; Attack Name = 123 (No alert, suppressed by event 1)
4) 12:54 - Threat Level = High ; Attack Name = 921 (No alert, threat level not = to Critical)

Thoughts and Ideas?

Thanks,
Justin

1 Solution

jstaley
Explorer

I found my answer to this. When specifying a action for a alert you must select the "Action Options" "When triggered, execute actions for each result". Select throttle, and specify the fields you want to suppress. ,Found my answer for this.

  1. Modify the Action within the Alert.
  2. Under "Action Options" select "When triggered, execute actions - For each result"
  3. Select the "Throttle" check box.
  4. Suppress results containing field value (I specified "Attack Name" for the above example)
  5. Save

View solution in original post

jstaley
Explorer

I found my answer to this. When specifying a action for a alert you must select the "Action Options" "When triggered, execute actions for each result". Select throttle, and specify the fields you want to suppress. ,Found my answer for this.

  1. Modify the Action within the Alert.
  2. Under "Action Options" select "When triggered, execute actions - For each result"
  3. Select the "Throttle" check box.
  4. Suppress results containing field value (I specified "Attack Name" for the above example)
  5. Save

bwlm
Path Finder

That sounds correct according to the Alerting Manual - Throttle Alerts guide.

Though in addition to your use case above for events, i.e. Event #4 "(No alert, threat level not = to Critical)" you would just need your Alert search query to include: |search "Threat Level" = "Critical" to filter only those events to alert on.

https://docs.splunk.com/Documentation/Splunk/latest/Alert/ThrottleAlerts

0 Karma

dijikul
Communicator

Your answer came up when I was trying to understand how the Suppress triggering for options works in conjunction with the Suppress results containing field value.

My understanding is that whatever comma-delimited list of fields you list in the Suppress results containing field value text input, if data hasn't changed in those fields since the last alert, don't re-alert.

My application of this is to have a single alert across a large number of hosts for a specific event, using the host as the Suppress results containing field value field, which I'm hoping will prevent recurring alerts from a single host, but allow other hosts to still trigger notifications.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...