Alerting

Realtime alert: How can I either write my search or throttle my alert triggers to only alert the first time Splunk sees one alert per unique field value?

xxkenta
Explorer

Hello

I am currently trying to write an alert for some Windows Event Log data on client machine BSODs. The problem here is that after the initial BSOD, windows will continue to create and log the same events again and again, just with a different "EventID" and "RecordNumber". However, I only care about the first time one of these events is logged with a unique field value for the field "Report_Id".

Is there a way I can either write my search or throttle my alert triggers to only alert the first time Splunk sees a new "Report_Id" value?

Will it work by doing a real-time search and just doing a dedup on the unique field?

Thanks

0 Karma
1 Solution

dflodstrom
Builder

You can throttle alerts so that events with the same EventID, RecordNumber, and host value do not trigger future alerts for a timespan that you specify: https://docs.splunk.com/Documentation/Splunk/7.1.0/Alert/ThrottleAlerts

You'd just have to specify the amount of time to throttle and the field names.

View solution in original post

dflodstrom
Builder

You can throttle alerts so that events with the same EventID, RecordNumber, and host value do not trigger future alerts for a timespan that you specify: https://docs.splunk.com/Documentation/Splunk/7.1.0/Alert/ThrottleAlerts

You'd just have to specify the amount of time to throttle and the field names.

Get Updates on the Splunk Community!

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...