- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk alerts for clear condition
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk alerts for clear condition
We have set up a splunk alerts for clear condition(eg., X < 50) for every 1 min and sending it to another tool where this alerts will autoclose.Is there a way where we can dedup the alerts for a certain time frame so that new alert should be triggered and should create a new incident.
We tried to throttle the alert but it's not meeting the requirement.
Please help me on this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the issue that you're encountering while throttling? Could you also please throw some light as to how you're sending the data to a third party system? Alert actions, custom command etc. It'll help to understand your use case a bit better and then help you.
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @shivanshu1593 for response.
Actually we are sending a clear alert condition every 1 minute to an another tool where that tool will auto-close this alerts based on this condition.
So we want to dedup this alerts for that particular time frame and splunk should send a new alert after that stipulated time instead of deduplicating on the existing alert.
Incase if we want to dedup the condition during that 1 minute time, shall we need to throttle by supress triggering to 1 minute or can you help in adding a dedup condition to the search?
P.S. This alert is running on a cron schedule for every minute for the search timerange of last 1 minute
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Roy_9 ,
While setting up the throttling, in the Trigger, have you selected "Once" or "For each results". In your case, I'd go with "For each results", click on throttle checkbox and add the fields, which will be helpful to identify if the clear alert condition is new or duplicate.
Are you sending the condition via a custom alert action that you've created, or are you using an already present alert action.
Thanks,
S
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have selected "once" but didn't set up throttling, shall we make it to "For each results" and select throttle to 1 min on the desired fields,.
We are sending the alerts using the custom alert action (eg., search X < 50)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes please set it "For each results", select the checkbox to enable throttling and enter the desired fields and set the desired time.
That should do the trick. Let me know if it works.
Thank you,
S
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
