Alerting

Is there a way to suppress an alert based upon fields?

dscoland
Path Finder

Hi Splunk Community,

Is there a way to suppress an alert based upon fields? For example, we would want a single alert of lockouts per user. But we are currently getting multiple alerts for the same user who got locked out on multiple domain controllers.

We also don't want to suppress the alert to long because it is possible two people could get locked out at around the same time.

I appreciate your help in advance!
Daniel

Tags (2)
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

martin_mueller
SplunkTrust
SplunkTrust

dscoland
Path Finder

Is there an easy way to do this?

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.