Alerting
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Stop creating alerts for users that have had alert created already within a window

Southy567
Explorer
‎11-02-2023 08:16 PM

Hi all!

Hoping you can help me out. We are setting up an alert in splunk that will feed into servicenow, that when triggered will allow us to reach out to our users whenever they lock themselves out instead of them calling through to IT desk. We don't want a snow alert to trigger every time they show up in the splunk seach however, instead if they have had an alert created in the last 4 hours for example they are not included and it only checks for new people in that time frame. After the time period has elapsed they can then be included in the alert again.

I have the search to a point where it is finding the users with issues and creating a transaction so we are getting them at the point they would be calling us, just stuck on that last bit.

 index=prd_example sourcetype=LogSource "host=Host*
| transaction UserID EventDescription maxspan=4h
| table UserID EventDescription LockoutTime FirstName LastName EventCode eventcount
| where eventcount >= 3
| sort -_time

Any help would be greatly appreciated. I'm not even sure if this can be done at the splunk level or needs to be done at the SNow end

Labels (2)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tej57
Contributor
‎11-03-2023 07:15 AM

Hey @Southy567,

To achieve the use case, you can have alert throttling enabled. You can find the throttle checkbox in the below screenshot.

tej57_0-1699020743110.png

Once you check the throttle checkbox, you can suppress the alerting for 4 hours as mentioned in the below screenshot

tej57_1-1699020798694.png

 

So if the alert is suppressed for 4 hours, the SNOW ticket will not be created for the users that already have s SNOW ticket raised. After 4 hours, the alerting should resume as normal for the same set of users.

 

Thanks,
Tejas.

---

If the above solution helps, an upvote is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

tej57
Contributor
‎11-03-2023 07:15 AM

Hey @Southy567,

To achieve the use case, you can have alert throttling enabled. You can find the throttle checkbox in the below screenshot.

tej57_0-1699020743110.png

Once you check the throttle checkbox, you can suppress the alerting for 4 hours as mentioned in the below screenshot

tej57_1-1699020798694.png

 

So if the alert is suppressed for 4 hours, the SNOW ticket will not be created for the users that already have s SNOW ticket raised. After 4 hours, the alerting should resume as normal for the same set of users.

 

Thanks,
Tejas.

---

If the above solution helps, an upvote is appreciated.

Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top