Hello
I am currently trying to write an alert for some Windows Event Log data on client machine BSODs. The problem here is that after the initial BSOD, windows will continue to create and log the same events again and again, just with a different "EventID" and "RecordNumber". However, I only care about the first time one of these events is logged with a unique field value for the field "Report_Id".
Is there a way I can either write my search or throttle my alert triggers to only alert the first time Splunk sees a new "Report_Id" value?
Will it work by doing a real-time search and just doing a dedup on the unique field?
Thanks
You can throttle alerts so that events with the same EventID, RecordNumber, and host value do not trigger future alerts for a timespan that you specify: https://docs.splunk.com/Documentation/Splunk/7.1.0/Alert/ThrottleAlerts
You'd just have to specify the amount of time to throttle and the field names.
You can throttle alerts so that events with the same EventID, RecordNumber, and host value do not trigger future alerts for a timespan that you specify: https://docs.splunk.com/Documentation/Splunk/7.1.0/Alert/ThrottleAlerts
You'd just have to specify the amount of time to throttle and the field names.