Hi Splunk Community,
Is there a way to suppress an alert based upon fields? For example, we would want a single alert of lockouts per user. But we are currently getting multiple alerts for the same user who got locked out on multiple domain controllers.
We also don't want to suppress the alert to long because it is possible two people could get locked out at around the same time.
I appreciate your help in advance!