ITSI Duplicate Alerts (Action)

Splunk ITSI

Hi,

I'm trying to configure a NEAT that would send one email / raise one SNOW incident for each episodes.

I tried a few different Action Rules:

Number of events in episode >= 1 --> this would send emails for every notable events instead of one for the episode, and will continue sending emails until the episode breaks
Number of events in episode == 1 --> this does not trigger emails, since the episodes would typically have 3-4 events

I have a different NEAP for a different type of alert where it would raise the incident correctly after the 3rd (same) event e.g. after 15 minutes at 5 mins search interval - by using:
- Number of events in episode == 3

In this case though, the events are generated all at once, and there could be 1-8 events from different environments that I'm aggregating to one episode.

Regards

Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...