Hello,
Background:
I am generating alerts around our Office 365 Environment using the Content Pack for Microsoft 365. I have limited search query experience but willing to put in the time to learn more as I go.
About the Content Pack for Microsoft 365 - Splunk Documentation
Trying to accomplish:
Runs every 10 minutes > Trigger single alert if "id"/"Ticket" is unique for every result > Throttle for 24 hours
This is just an example of my search query:
(index=Office365) sourcetype="o365:service:healthIssue" service="Exchange Online" classification=incident OR advisory status=serviceDegradation OR investigating
| eventstats max(_time) as maxtime, by id
| where _time = maxtime
| mvexpand posts{}.description.content
| mvexpand posts{}.createdDateTime
| rename posts{}.description.content AS content posts{}.createdDateTime AS postUpdateTime
| stats latest(content) AS Content latest(status) AS Status earliest(_time) AS _time latest(postUpdateTime) AS postUpdateTime by service, classification id isResolved
| fields _time service classification id Content postUpdateTime Status isResolved
| sort + isResolved -postUpdateTime
| rename isResolved AS Resolved? service AS Workload id AS Ticket classification AS Classification postUpdateTime AS "Last Update"
What Is happening:
There could be technically be 3 events based on the search query but the alert will only send 1 email to me (with only 1 event) instead of 3 individual alert emails, with 3 separate events.
I am trying to prevent the same alert being generated for the same "Ticket/ID" so if a new event happens it will trigger the alert should I be using a custom trigger? and if so what result would I suppress to prevent multiple alerts of the same "ticket/id"?
Any help would be greatful!
Thank you!
I have setup based your suggested settings (this is actually what I was using first) however it only captures 1 event instead of the 3 that are available:
I uploaded some more screenshots below on what I am experiencing and hope this makes more sense now.
