- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: How can I throttle the alerts by multiple fiel...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I throttle the alerts by multiple field?
Dear all,
How can I throttle the alerts by multiple field?
For example, I would like to throttle the alerts if and only if both "src_ip" "dst_IP" "msg" are matched in log1 and log3
log1. src_ip=1.1.1.1 dst_ip=2.2.2.2 msg=attack1
log2. src_ip=1.1.1.1 dst_ip=3.3.3.3 msg=attack1
log3. src_ip=1.1.1.1 dst_ip=2.2.2.2 msg=attack1
log4. src_ip=1.1.1.1 dst_ip=2.2.2.2 msg=attack2
My expected alert results are
alert1. src_ip=1.1.1.1 dst_ip=2.2.2.2 msg=attack1
alert2. src_ip=1.1.1.1 dst_ip=3.3.3.3 msg=attack1
alert3. src_ip=1.1.1.1 dst_ip=2.2.2.2 msg=attack2
BR
Victor
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What I did to accomplish my variant of the starting question was to output an eval-field from the search that I used as throttle field.
| eval throttleId = a_field_from_the_search + "_" + another_field_in_the_search
Throttle expression was then: throttleId
The eval-field could use just about any logic, the threadstarter would possibly use the replace(X,Y,Z) function to strip out the log number.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Victor,
When you create your alert, you should use an AND operator in your search string, for example I would use an IF statement to set a field, e.g. SendAlert, to a boolean value of 0 or 1, then from the results trigger an alert if SendAlert is equal to 1.
I hope this helps, if not, let me know and I'll come up with something else.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello aakwah,
Under "action option" in the alert item, can i put more than one field in "suppress results containing field value"?
BR
Victor
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Could you please elaborate more, as per my understanding you could make use of logical operator OR as per the following query:
(source=log1 src_ip=1.1.1.1) OR (source=log3 dst_ip="2.2.2.2")
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It would actually be the AND logical operator, as stated in the question, if they both match.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
