Alerting

In an alert result, how to show only the most recent event(s)?

zapping575
Explorer

I am trying to figure out the following and would greatly appreciate some help:

I have an alert which's search query looks for a certain event within the last 30 days.

If the event of interest occurs, an alert shall be triggered. This is working fine.

Now, because I have to look for events in the last 30 days, I do not want the exact same event to trigger another alert. I do however, want to trigger another alert if the event occurs on say....a different host.

By my understanding, this can be acheived by the following

-Use trigger type "for each event"

-Suppress for 30 days: events with the field _time

When the event in question has triggered, we navigate to triggered alerts and select "show events" I want to be able to see only the very event that triggered that very same, recent alert. I want this because it helps the person who is investigating the issue to immediately see what asset is affected.

Is it possible to do this?

 

Labels (3)
Tags (2)
0 Karma

somesoni2
Revered Legend

How often does the alert runs? Any specific reason for using last 30 days as timerange?

0 Karma

zapping575
Explorer

Thats a really good question. I have the alert setup to run every hour.

The reason I am searching within the last 30 days is because I have some thresholds at hand for my alerts. Those thresholds are per host and per month.

It just occurred to me that if the threshold for an alert is zero (which it is for the alert in question) I might as well ignore the per-month rule.

So I could just search within the last hour instead while still suppressing previous alerts for the past hour and the field _time. This still isnt "perfect" but better than getting all events from the past 30 days listed in the alert results.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...