Splunk Enterprise Security

How to apply Throttling based on a condition for a notable event generation?

vn_g
Path Finder

Requirement 1 :
Eg : I have a correlation search which generates , 2000 events with in 24 hours with the same Title "Important- Password Expiration Notice".
-- I shouldn't have 2000 notable events created in the Incident Review Dashboard. I should have only 1 notable event.
-- If the Title is different , then a notable event should be created.

I have tested updating Window duration as 24 hours and Fields to group by with "Title" field name , but it is working incorrectly.
It is not generating a notable event , if the Title is different.

Requirement 2 :
Is there a way , I can update the existing notable event.
Eg : Existing Notable event Title : Important- Password Expiration Notice
        Existing Field value : abcuser@company.com
        It should append the new value to existing field.
           --abcuser@company.com
           --xyzuser@compay.com

Labels (1)
0 Karma
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

Fall Into Learning with New Splunk Education Courses

Every month, Splunk Education releases new courses to help you branch out, strengthen your data science roots, ...

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

By Martin Hettervik, Senior Consultant and Team Leader at Accelerate at Iver, Splunk MVPThe stats command is ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes

Your bank's payment processing system is humming along during a busy afternoon, handling millions in hourly ...