Solved: help with alert throttling needed

damucka · ‎06-02-2020

Hello,

I have the alert that produces the table as an output, let us say that it looks as follows:

SYSSID, HOST, EMAIL
BWP, h1, email_list_1
BWP, h1, email_list_2

Now, I would like that two separate alerts get triggered, one for the row1 and second for the row2, the idea is that they are then sent to separate email recipients.
Now, what I did what to use throttling per result with the following settings for "Suppress results containing field value
":
$result.SYSSID$, $result.HOST$, $result.EMAIL$

What I would expect from that is that I get two separate alerts triggered (per result) and they both get suspended for the given time (15 min). Unfortunately I am not able to get it working. What happens is that only the first row is "seen" when processing the alert and correspondingly I get only one alert triggered, which is wrong.

Could you please help?

Kind Regards,
Kamil

493669 · ‎06-02-2020

Try entering direct fieldname in "Suppress results containing field value" box-

SYSSID,HOST,EMAIL

View solution in original post

493669 · ‎06-02-2020

Try entering direct fieldname in "Suppress results containing field value" box-

SYSSID,HOST,EMAIL

damucka · ‎06-02-2020

Thank you, it worked.

493669 · ‎06-02-2020

I am converting my comment to an answer please accept and upvote if it helps. 🙂

help with alert throttling needed

alert condition

email

throttling

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation