Suppressing using priority field in Alert Manager

logginz85 · ‎10-14-2020

Hi.

We've recently started using Alert Manager on Splunk Cloud (8.1.2) and have managed to create dynamic alerts based upon a lookup of impact and urgency.

These calculate the "priority" field in Alert Manager, and we're looking for a way to suppress the "informational" level alerts (low/low)

Under Settings> Suppression Rules, I figured I could set up a rule that went as such,

Rule type = Normal
Scope = Rule_name*
Field = $priority$
Condition = is
Value = informational

Yet this does not seem to suppress anything.

I have tried with Field = $result.priority$ but that doesnt work either.

Any help would be greatly appreciated

jdanielabacode · ‎04-06-2021

I have the exact same issue. I've read over the alert manager documentation as well and that also gives no further insight. Has anyone come across a solution?

logginz85 · ‎10-15-2020

looking just to suppress/auto-resolve on the main Alert manager page (Incident Posture?)

I'm unsure how I'd go about modifying macros tbh.

richgalloway · ‎10-14-2020

It depends on where are you wanting to suppress the data.

Are you willing to modify macros? If so, add this to filter out informational alerts.

| where priority!=informational

---
If this reply helps you, Karma would be appreciated.

Suppressing using priority field in Alert Manager

administration

development

search

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

Suppressing using priority field in Alert Manager

administration

development

search

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...