Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Stop creating alerts for users that have had alert created already within a window

Southy567
Explorer
‎11-02-2023 08:16 PM

Hi all!

Hoping you can help me out. We are setting up an alert in splunk that will feed into servicenow, that when triggered will allow us to reach out to our users whenever they lock themselves out instead of them calling through to IT desk. We don't want a snow alert to trigger every time they show up in the splunk seach however, instead if they have had an alert created in the last 4 hours for example they are not included and it only checks for new people in that time frame. After the time period has elapsed they can then be included in the alert again.

I have the search to a point where it is finding the users with issues and creating a transaction so we are getting them at the point they would be calling us, just stuck on that last bit.

 index=prd_example sourcetype=LogSource "host=Host*
| transaction UserID EventDescription maxspan=4h
| table UserID EventDescription LockoutTime FirstName LastName EventCode eventcount
| where eventcount >= 3
| sort -_time

Any help would be greatly appreciated. I'm not even sure if this can be done at the splunk level or needs to be done at the SNow end

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tej57
Builder
‎11-03-2023 07:15 AM

Hey @Southy567,

To achieve the use case, you can have alert throttling enabled. You can find the throttle checkbox in the below screenshot.

tej57_0-1699020743110.png

Once you check the throttle checkbox, you can suppress the alerting for 4 hours as mentioned in the below screenshot

tej57_1-1699020798694.png

 

So if the alert is suppressed for 4 hours, the SNOW ticket will not be created for the users that already have s SNOW ticket raised. After 4 hours, the alerting should resume as normal for the same set of users.

 

Thanks,
Tejas.

---

If the above solution helps, an upvote is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

tej57
Builder
‎11-03-2023 07:15 AM

Hey @Southy567,

To achieve the use case, you can have alert throttling enabled. You can find the throttle checkbox in the below screenshot.

tej57_0-1699020743110.png

Once you check the throttle checkbox, you can suppress the alerting for 4 hours as mentioned in the below screenshot

tej57_1-1699020798694.png

 

So if the alert is suppressed for 4 hours, the SNOW ticket will not be created for the users that already have s SNOW ticket raised. After 4 hours, the alerting should resume as normal for the same set of users.

 

Thanks,
Tejas.

---

If the above solution helps, an upvote is appreciated.

Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...