Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I specify multiple separate fields in the "supress alerts with field value"

jguglielmi
New Member
‎03-30-2016 07:57 PM

I am reporting on batch processing.
At the highest level there us the concept of a "Batchid" and within each batchid there can be multiple "Jobid"'s.
Each job can possible fail which provides a literal "error" in a field I interrogate.
I want to alert based on every time a unique BatchID has an "error" field associated.
However, I want to check every 10 minutes and only send an alert when the batchid and jobid's are different.
If I just supress based on the same batchid being present, I might miss the case where the origonal jobid gets resoved, but the next job under the same batchid fails.
This is what I want to do:

batchid jobid action
1234 432 alert
1234 432 throttle wait
1234 567 alert
1267 123 alert

Tags (1)
0 Karma
Reply

maciep
Champion
‎03-31-2016 03:39 PM

Is this what you're referring to? I think you can put multiple fields in that throttle field list. So you can put it batchid and jobid in there maybe?

http://docs.splunk.com/Documentation/Splunk/latest/Alert/ThrottleAlerts

If that doesn't work or isn't an option, what about just eval'ing a new field in your search and then throttle based on it?

... | eval throttle_field = batchid." - ".jobid | ...

And then just choose that field for the throttling logic?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...