Solved: Splunk alert to verify results sent in previous al...

bsaujla131984 · ‎04-09-2020

I have an alert which checks the number of messages stuck in the queue with suppressing of 4 hours otherwise there will be number of alerts.

Now I need to make it more dynamic means it should alert only if alert has not been sent for same result in last 4 hours.

Can someone guide with this please?

DalJeanis · ‎04-10-2020

There is an option to suppress per result rather than for the entire search.

You must write the search so that it gets one line of output per item at the level you want to suppress.

If you give more specific information about your needs, then we can give a more specific reply.

DalJeanis · ‎04-10-2020

There is an option to suppress per result rather than for the entire search.

You must write the search so that it gets one line of output per item at the level you want to suppress.

If you give more specific information about your needs, then we can give a more specific reply.

bsaujla131984 · ‎04-10-2020

Can you let me know how can suppress the result rather than whole search?

bsaujla131984 · ‎04-17-2020

Thanks DalJeanis. It worked.

Splunk alert to verify results sent in previous alert