Splunk IT Service Intelligence

ITSI Duplicate Alerts (Action)

felixwawolangi1
New Member

Hi,

I'm trying to configure a NEAT that would send one email / raise one SNOW incident for each episodes.

I tried a few different Action Rules:

  • Number of events in episode >= 1 --> this would send emails for every notable events instead of one for the episode, and will continue sending emails until the episode breaks
  • Number of events in episode == 1 --> this does not trigger emails, since the episodes would typically have 3-4 events

I have a different NEAP for a different type of alert where it would raise the incident correctly after the 3rd (same) event e.g. after 15 minutes at 5 mins search interval - by using:
- Number of events in episode == 3

In this case though, the events are generated all at once, and there could be 1-8 events from different environments that I'm aggregating to one episode.

Regards

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...