Re: Sending alert only once for similar events

michael_vi · ‎12-22-2024

We have a TrueSight integration with Splunk that is sending results when a certain event occurs.

Sometimes no events are being sent, and I want to document only the first time when it happens, for example:

Time	0	5	10	15	20	25	30	35	40	45	50	55	0	5	10	15	20	25	30
# of Events	3	4	0	0	0	8	15	2	0	5	55	66	0	0	0	0	0	8	9

I want to include also 0 values that occurs only the first time and not all the times when we have an alert.

Please assist

michael_vi · ‎12-29-2024

The desired result is to send alerts for all events > 0 and only once for alert that has 0 for the first time:

Scheduled alerts:

Time	0	5	10	15	20	25	30	35	40	45	50	55	0	5	10	15	20	25	30
# of Events	3	4	0	0	0	8	15	2	0	5	55	66	0	0	0	0	0	8	9

Desired output, i.e. the alert that I want to receive

Time	0	5	10	25	30	35	40	45	50	55	0	25	30
# of Events	3	4	0	8	15	2	0	5	55	66	0	8	9

Is there a configuration that I need to activate in alerts box? Or is there something else that I'm missing?

scelikok · ‎12-23-2024

Hi @michael_vi,

Can you please describe your desired output more clear? If you mean filtering only the bold ones it conflicts with the definition. You want to see 3,4,0,8,0,5 etc or 3,0,8,0,5,0,8 etc?

If this reply helps you an upvote and "Accept as Solution" is appreciated.

rishabhshah · ‎12-23-2024

As per above table, considering Time as _time and # of events as count, Please try below query -

| search count=0
| stats first(count) as count by _time

Let me know if this is what you're aiming to achieve.

Sending alert only once for similar events

alert action

alert condition

throttling

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Splunk Observability for AI

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

Are you a member of the Splunk Community?