We've recently started using Alert Manager on Splunk Cloud (8.1.2) and have managed to create dynamic alerts based upon a lookup of impact and urgency.
These calculate the "priority" field in Alert Manager, and we're looking for a way to suppress the "informational" level alerts (low/low)
Under Settings> Suppression Rules, I figured I could set up a rule that went as such,
Rule type = Normal
Scope = Rule_name*
Field = $priority$
Condition = is
Value = informational
Yet this does not seem to suppress anything.
I have tried with Field = $result.priority$ but that doesnt work either.
Any help would be greatly appreciated
It depends on where are you wanting to suppress the data.
Are you willing to modify macros? If so, add this to filter out informational alerts.
| where priority!=informational