In an alert result, how to show only the most rece...

zapping575 · ‎03-23-2022

I am trying to figure out the following and would greatly appreciate some help:

I have an alert which's search query looks for a certain event within the last 30 days.

If the event of interest occurs, an alert shall be triggered. This is working fine.

Now, because I have to look for events in the last 30 days, I do not want the exact same event to trigger another alert. I do however, want to trigger another alert if the event occurs on say....a different host.

By my understanding, this can be acheived by the following

-Use trigger type "for each event"

-Suppress for 30 days: events with the field _time

When the event in question has triggered, we navigate to triggered alerts and select "show events" I want to be able to see only the very event that triggered that very same, recent alert. I want this because it helps the person who is investigating the issue to immediately see what asset is affected.

Is it possible to do this?

somesoni2 · ‎03-23-2022

How often does the alert runs? Any specific reason for using last 30 days as timerange?

zapping575 · ‎03-24-2022

Thats a really good question. I have the alert setup to run every hour.

The reason I am searching within the last 30 days is because I have some thresholds at hand for my alerts. Those thresholds are per host and per month.

It just occurred to me that if the threshold for an alert is zero (which it is for the alert in question) I might as well ignore the per-month rule.

So I could just search within the last hour instead while still suppressing previous alerts for the past hour and the field _time. This still isnt "perfect" but better than getting all events from the past 30 days listed in the alert results.

In an alert result, how to show only the most recent event(s)?

alert action

alert condition

throttling

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life