Thanks @shivanshu1593 for response.

Actually we are sending a clear alert condition every 1 minute to an another tool where that tool will auto-close this alerts based on this condition.

So we want to dedup this alerts for that particular time frame and splunk should send a new alert after that stipulated time instead of deduplicating on the existing alert.

Incase if we want to dedup the condition during that 1 minute time, shall we need to throttle by supress triggering to 1 minute or can you help in adding a dedup condition to the search?

P.S. This alert is running on a cron schedule for every minute for the search timerange of last 1 minute

Hello @Roy_9 ,

While setting up the throttling, in the Trigger, have you selected "Once" or "For each results". In your case, I'd go with "For each results", click on throttle checkbox and add the fields, which will be helpful to identify if the clear alert condition is new or duplicate. 

Are you sending the condition via a custom alert action that you've created, or are you using an already present alert action.

Thanks,

S

We have selected "once" but didn't set up throttling, shall we make it to "For each results" and select throttle to 1 min on the desired fields,.

We are sending the alerts using the custom alert action (eg., search X < 50)

Yes please set it "For each results", select the checkbox to enable throttling and enter the desired fields and set the desired time.

That should do the trick. Let me know if it works.

Thank you,

S

I will test that out and let you know.

Thanks @shivanshu1593