Solved: Realtime alert: How can I either write my search o...

xxkenta · ‎05-30-2018

Hello

I am currently trying to write an alert for some Windows Event Log data on client machine BSODs. The problem here is that after the initial BSOD, windows will continue to create and log the same events again and again, just with a different "EventID" and "RecordNumber". However, I only care about the first time one of these events is logged with a unique field value for the field "Report_Id".

Is there a way I can either write my search or throttle my alert triggers to only alert the first time Splunk sees a new "Report_Id" value?

Will it work by doing a real-time search and just doing a dedup on the unique field?

Thanks

dflodstrom · ‎05-30-2018

You can throttle alerts so that events with the same EventID, RecordNumber, and host value do not trigger future alerts for a timespan that you specify: https://docs.splunk.com/Documentation/Splunk/7.1.0/Alert/ThrottleAlerts

You'd just have to specify the amount of time to throttle and the field names.

View solution in original post

dflodstrom · ‎05-30-2018

You can throttle alerts so that events with the same EventID, RecordNumber, and host value do not trigger future alerts for a timespan that you specify: https://docs.splunk.com/Documentation/Splunk/7.1.0/Alert/ThrottleAlerts

You'd just have to specify the amount of time to throttle and the field names.

Realtime alert: How can I either write my search or throttle my alert triggers to only alert the first time Splunk sees one alert per unique field value?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms