Archive

Throttle Alert per result for multiple unique values

willcwhite
Explorer

I created an alert that outputs multiple application names when the alert query conditions are met. I want to receive a separate alert for each application and throttle each one for an hour. I tried using $result.application$ as the "suppress results containing field value" input, but that prevented any alerts coming in after the first one was created. Is there any way to throttle alerts for each specific value without having to manually type in each one, as there are hundreds.

Thanks

0 Karma

anmolpatel
Builder

In savedsearches.conf

[alert_name]
action.email = 1
action.email.to = test@test.com
alert.suppress = 1
alert.suppress.period = 1h
alert.track = 1
counttype = number of events
cron_schedule = 1 * * * *
dispatch.earliest_time = -1h@-1m
dispatch.latest_time = now

This will email the result as a table and should suppress for next 1 hour until next search is executed

0 Karma

to4kawa
SplunkTrust
SplunkTrust
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!