Alerting

Suppress results containing field value with multiple values using search result field.

olavandreas
Explorer

I have a search triggering for a certain failed threshold for a monitored value. Instead of making 7 alerts one per customer, I made one search and one alert creating a table of results. Hence I needed to use the "Trigger for each result" option in alerts.

Then I needed to suppress per customer when the trigger value exceeded threshold. My alert searches every minute for the last 15 minutes, and is supposed to throttle for 15 minutes on hit.

Googling and documentation suggest setting 'customer' field in the "Suppress results containing field value" text box in Splunk. This did not suppress when "For each result" was enabled, and I got an alert every minute.

So how to do it?

Labels (2)
0 Karma
1 Solution

olavandreas
Explorer

The wanted behavior was achieved by using the $$ syntax to reference values extracted at search time.

Suppress results containing field value:customer = $result.customer$

 

Setting this in the alert I both got alert per row in my resulting table, and suppress on value (result.customer) per customer. So that each customer is alerted on only once per 15 minutes in my case.

View solution in original post

olavandreas
Explorer

The wanted behavior was achieved by using the $$ syntax to reference values extracted at search time.

Suppress results containing field value:customer = $result.customer$

 

Setting this in the alert I both got alert per row in my resulting table, and suppress on value (result.customer) per customer. So that each customer is alerted on only once per 15 minutes in my case.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...