Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Stop creating alerts for users that have had alert created already within a window

Southy567
Explorer
‎11-02-2023 08:16 PM

Hi all!

Hoping you can help me out. We are setting up an alert in splunk that will feed into servicenow, that when triggered will allow us to reach out to our users whenever they lock themselves out instead of them calling through to IT desk. We don't want a snow alert to trigger every time they show up in the splunk seach however, instead if they have had an alert created in the last 4 hours for example they are not included and it only checks for new people in that time frame. After the time period has elapsed they can then be included in the alert again.

I have the search to a point where it is finding the users with issues and creating a transaction so we are getting them at the point they would be calling us, just stuck on that last bit.

 index=prd_example sourcetype=LogSource "host=Host*
| transaction UserID EventDescription maxspan=4h
| table UserID EventDescription LockoutTime FirstName LastName EventCode eventcount
| where eventcount >= 3
| sort -_time

Any help would be greatly appreciated. I'm not even sure if this can be done at the splunk level or needs to be done at the SNow end

Labels (2)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tej57
Communicator
‎11-03-2023 07:15 AM

Hey @Southy567,

To achieve the use case, you can have alert throttling enabled. You can find the throttle checkbox in the below screenshot.

tej57_0-1699020743110.png

Once you check the throttle checkbox, you can suppress the alerting for 4 hours as mentioned in the below screenshot

tej57_1-1699020798694.png

 

So if the alert is suppressed for 4 hours, the SNOW ticket will not be created for the users that already have s SNOW ticket raised. After 4 hours, the alerting should resume as normal for the same set of users.

 

Thanks,
Tejas.

---

If the above solution helps, an upvote is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

tej57
Communicator
‎11-03-2023 07:15 AM

Hey @Southy567,

To achieve the use case, you can have alert throttling enabled. You can find the throttle checkbox in the below screenshot.

tej57_0-1699020743110.png

Once you check the throttle checkbox, you can suppress the alerting for 4 hours as mentioned in the below screenshot

tej57_1-1699020798694.png

 

So if the alert is suppressed for 4 hours, the SNOW ticket will not be created for the users that already have s SNOW ticket raised. After 4 hours, the alerting should resume as normal for the same set of users.

 

Thanks,
Tejas.

---

If the above solution helps, an upvote is appreciated.

Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...