Alerting

Is there a way to suppress an alert based upon fields?

dscoland
Path Finder

Hi Splunk Community,

Is there a way to suppress an alert based upon fields? For example, we would want a single alert of lockouts per user. But we are currently getting multiple alerts for the same user who got locked out on multiple domain controllers.

We also don't want to suppress the alert to long because it is possible two people could get locked out at around the same time.

I appreciate your help in advance!
Daniel

Tags (2)
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

dscoland
Path Finder

Is there an easy way to do this?

0 Karma
Get Updates on the Splunk Community!

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...