Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Once vs For Each Notable Response Actions Clarification

mobrien1
Explorer
‎07-11-2024 11:31 AM

I wanted to get some clarification on how trigger conditions effect notable response actions for correlation searches in Enterprise Security. The trigger condition options are between "Once" and "For each Result", and I believe I understand the difference. However, under them there is a little blurb that says "Notable response actions and risk response actions are always triggered for each result."

mobrien1_0-1720722111909.png

To me, this essentially nullifies "Once" since the action will be triggered for each result. As a result, I fail to see how "Once" is any different than "For each Result". But surely they can't be the same. 

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-12-2024 12:06 AM

Hi @mobrien1 ,

I suppose that the meanng of the affermation is that e.g. risk score is counted for each value you can find in the results of your Correlation Search, so if you have more hosts in the results, the Risk Score is counted for all of them.

But, why did you posted this question?

Ciao.

Giuseppe

Reply

mobrien1
Explorer
‎07-12-2024 06:59 AM

I think I would agree with your first statement.

But the reason I posted this question is that the phrase "Notable response actions and risk response actions are always triggered for each result." effectively makes "Once" and "For each result" the same thing (at least in my mind). But they are two distinct options, so I feel like they can't be the same. This makes me think I'm misunderstanding something. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-12-2024 07:04 AM

Hi @mobrien1 ,

maybe  "Once" and "For each result" became from Alerts.

I don't find any other answer.

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply

mobrien1
Explorer
‎07-12-2024 10:34 AM

Yeah maybe some others will chime in. The only thing I can think of is that the number of alerts that show up in Triggered Alerts would be different depending on which option ("Once" or "For each") you select. I saw this post which is sort of similar, but no one responded to it. 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...