Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Once vs For Each Notable Response Actions Clarification

mobrien1
Explorer
‎07-11-2024 11:31 AM

I wanted to get some clarification on how trigger conditions effect notable response actions for correlation searches in Enterprise Security. The trigger condition options are between "Once" and "For each Result", and I believe I understand the difference. However, under them there is a little blurb that says "Notable response actions and risk response actions are always triggered for each result."

mobrien1_0-1720722111909.png

To me, this essentially nullifies "Once" since the action will be triggered for each result. As a result, I fail to see how "Once" is any different than "For each Result". But surely they can't be the same. 

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-12-2024 12:06 AM

Hi @mobrien1 ,

I suppose that the meanng of the affermation is that e.g. risk score is counted for each value you can find in the results of your Correlation Search, so if you have more hosts in the results, the Risk Score is counted for all of them.

But, why did you posted this question?

Ciao.

Giuseppe

Reply

mobrien1
Explorer
‎07-12-2024 06:59 AM

I think I would agree with your first statement.

But the reason I posted this question is that the phrase "Notable response actions and risk response actions are always triggered for each result." effectively makes "Once" and "For each result" the same thing (at least in my mind). But they are two distinct options, so I feel like they can't be the same. This makes me think I'm misunderstanding something. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-12-2024 07:04 AM

Hi @mobrien1 ,

maybe  "Once" and "For each result" became from Alerts.

I don't find any other answer.

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply

mobrien1
Explorer
‎07-12-2024 10:34 AM

Yeah maybe some others will chime in. The only thing I can think of is that the number of alerts that show up in Triggered Alerts would be different depending on which option ("Once" or "For each") you select. I saw this post which is sort of similar, but no one responded to it. 

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...