Hi.
We've recently started using Alert Manager on Splunk Cloud (8.1.2) and have managed to create dynamic alerts based upon a lookup of impact and urgency.
These calculate the "priority" field in Alert Manager, and we're looking for a way to suppress the "informational" level alerts (low/low)
Under Settings> Suppression Rules, I figured I could set up a rule that went as such,
Rule type = Normal
Scope = Rule_name*
Field = $priority$
Condition = is
Value = informational
Yet this does not seem to suppress anything.
I have tried with Field = $result.priority$ but that doesnt work either.
Any help would be greatly appreciated
I have the exact same issue. I've read over the alert manager documentation as well and that also gives no further insight. Has anyone come across a solution?
looking just to suppress/auto-resolve on the main Alert manager page (Incident Posture?)
I'm unsure how I'd go about modifying macros tbh.
It depends on where are you wanting to suppress the data.
Are you willing to modify macros? If so, add this to filter out informational alerts.
| where priority!=informational