Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Alerting

justindett
Path Finder
‎06-09-2020 11:50 PM

Hi,

I would like to understand how I would be able to setup an alert that must be sent via email only once. Eg. When an event is returned for a search an alert is raised an an email gets sent. I only want to be notified once about this event. In other words if the search runs every 5 minutes it should send the alert for the initial event it picks up, not every 5 minutes.

Is the only way to prevent this by selecting Throttle and specifying a number of hours/days/minutes to suppress the alerts?

In my search example I receive the usernames that are locked out with times etc in a table format. I am worried that if I set suppress I will not receive new locked out usernames during that period.

So basically I only want an email event sent once, and only again when the search result changes from the initial result, but still conforms to the conditions setup in the alert.

I hope this makes sense and if someone could assist me in understanding what I can do.

Thanks

Labels (2)
Labels
0 Karma
Reply

snowmizer
Communicator
‎06-10-2020 11:54 AM

Throttling will control how often the email is sent. You will need to craft your search so that it detects new lockout events during the time range. Then you can set the alert criteria to alert if the returned event count > 0.

Reply

justindett
Path Finder
‎06-10-2020 12:13 PM

Thanks, I've tried that but it doesnt seem to work. Maybe it's related to the search query? Basically there are 2 events that show up every hour (polling cycle seems to be 60 minutes for these events). 

I need the initial event that shows those 2 events, and then only again if there is a new entry/event with a different user.

See attached screenshots of search and alert settings. I have set it to supress for 24 hours for now just to stop the alerts continuously being emailed.

Screenshot 2020-06-10 at 21.04.25.pngScreenshot 2020-06-10 at 21.08.21.png

0 Karma
Reply

snowmizer
Communicator
‎06-10-2020 12:27 PM

Maybe create a lookup of user ids that have been found as locked (with the date time found) and then when you find a user do a lookup match and only return events where the user isn't in the lookup and as a final step update the lookup with new users.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...