Suppressing using priority field in Alert Manager

logginz85 · ‎10-14-2020

Hi.

We've recently started using Alert Manager on Splunk Cloud (8.1.2) and have managed to create dynamic alerts based upon a lookup of impact and urgency.

These calculate the "priority" field in Alert Manager, and we're looking for a way to suppress the "informational" level alerts (low/low)

Under Settings> Suppression Rules, I figured I could set up a rule that went as such,

Rule type = Normal
Scope = Rule_name*
Field = $priority$
Condition = is
Value = informational

Yet this does not seem to suppress anything.

I have tried with Field = $result.priority$ but that doesnt work either.

Any help would be greatly appreciated

jdanielabacode · ‎04-06-2021

I have the exact same issue. I've read over the alert manager documentation as well and that also gives no further insight. Has anyone come across a solution?

logginz85 · ‎10-15-2020

looking just to suppress/auto-resolve on the main Alert manager page (Incident Posture?)

I'm unsure how I'd go about modifying macros tbh.

richgalloway · ‎10-14-2020

It depends on where are you wanting to suppress the data.

Are you willing to modify macros? If so, add this to filter out informational alerts.

| where priority!=informational

---
If this reply helps you, Karma would be appreciated.

Suppressing using priority field in Alert Manager

administration

development

search

Index This | Why do they call it hyper text?

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

The Great Resilience Quest: 9th Leaderboard Update