Hi dperre
Unfortunately I'm not familiar with the .conf files and how they relate to functionality in Splunk, at least not yet. I can't post screenshots unfortunately, but:
Schedule
Schedule Type = Basic
Run Every = 5 minutes
Schedule Window = 0
Alert
Condition=if number of events
is greater than=0
Alert Mode=once per result
Throttling=after triggering the alert, don't trigger is again for 4 hours per result throttling fields user,dest
What it does:
First Event - Alert Sends, Throttling Begins---->Second Event - No Alert Sent Due to Throttle
Username | Source IP | Destination IP | Count ----> Username | Source IP | Destination IP | Count -----> X
John Doe | 1.1.1.1 | 2.2.2.2 | 33 ---> Jane Doe | 1.1.1.2 | 2.2.2.2 | 54+John Doe | 1.1.1.1| 2.2.2.2 | 35 = Lost to oblivion
What I need it to do:
First Event - Throttling Begins--->Second Event--->Alert on new unique event, but remove repeat data
Username | Source IP | Destination IP | Count ----> Username | Source IP | Destination IP | Count -----> Username | Source IP | Destination IP | Count
John Doe | 1.1.1.1 | 2.2.2.2 | 33--->Jane Doe | 1.1.1.2 | 2.2.2.2 | 54+John Doe | 1.1.1.1 | 2.2.2.2 | 35=Jane Doe | 1.1.1.2 | 2.2.2.2 | 54
Also if the destination value change at all I need it to still provide results. The idea is to reduce events where there is consistent issue that is already being remediated, but catch anything new in the event the issue evolves or a new event occurs. Right now it is stripping everything it finds because one entry of data matched the previous event that was throttled Hopefully that helps.
... View more