Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Stop creating alerts for users that have had alert created already within a window

Southy567
Explorer
‎11-02-2023 08:16 PM

Hi all!

Hoping you can help me out. We are setting up an alert in splunk that will feed into servicenow, that when triggered will allow us to reach out to our users whenever they lock themselves out instead of them calling through to IT desk. We don't want a snow alert to trigger every time they show up in the splunk seach however, instead if they have had an alert created in the last 4 hours for example they are not included and it only checks for new people in that time frame. After the time period has elapsed they can then be included in the alert again.

I have the search to a point where it is finding the users with issues and creating a transaction so we are getting them at the point they would be calling us, just stuck on that last bit.

 index=prd_example sourcetype=LogSource "host=Host*
| transaction UserID EventDescription maxspan=4h
| table UserID EventDescription LockoutTime FirstName LastName EventCode eventcount
| where eventcount >= 3
| sort -_time

Any help would be greatly appreciated. I'm not even sure if this can be done at the splunk level or needs to be done at the SNow end

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tej57
Builder
‎11-03-2023 07:15 AM

Hey @Southy567,

To achieve the use case, you can have alert throttling enabled. You can find the throttle checkbox in the below screenshot.

tej57_0-1699020743110.png

Once you check the throttle checkbox, you can suppress the alerting for 4 hours as mentioned in the below screenshot

tej57_1-1699020798694.png

 

So if the alert is suppressed for 4 hours, the SNOW ticket will not be created for the users that already have s SNOW ticket raised. After 4 hours, the alerting should resume as normal for the same set of users.

 

Thanks,
Tejas.

---

If the above solution helps, an upvote is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

tej57
Builder
‎11-03-2023 07:15 AM

Hey @Southy567,

To achieve the use case, you can have alert throttling enabled. You can find the throttle checkbox in the below screenshot.

tej57_0-1699020743110.png

Once you check the throttle checkbox, you can suppress the alerting for 4 hours as mentioned in the below screenshot

tej57_1-1699020798694.png

 

So if the alert is suppressed for 4 hours, the SNOW ticket will not be created for the users that already have s SNOW ticket raised. After 4 hours, the alerting should resume as normal for the same set of users.

 

Thanks,
Tejas.

---

If the above solution helps, an upvote is appreciated.

Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...