Throttle Alert per result for multiple unique valu...

willcwhite · ‎02-25-2020

I created an alert that outputs multiple application names when the alert query conditions are met. I want to receive a separate alert for each application and throttle each one for an hour. I tried using $result.application$ as the "suppress results containing field value" input, but that prevented any alerts coming in after the first one was created. Is there any way to throttle alerts for each specific value without having to manually type in each one, as there are hundreds.

Thanks

anmolpatel · ‎02-26-2020

In savedsearches.conf

[alert_name]
action.email = 1
action.email.to = test@test.com
alert.suppress = 1
alert.suppress.period = 1h
alert.track = 1
counttype = number of events
cron_schedule = 1 * * * *
dispatch.earliest_time = -1h@-1m
dispatch.latest_time = now

This will email the result as a table and should suppress for next 1 hour until next search is executed

to4kawa · ‎02-26-2020

alert_action.conf

Throttle Alert per result for multiple unique values

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation