Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

In an alert result, how to show only the most recent event(s)?

zapping575
Path Finder
‎03-23-2022 12:07 PM

I am trying to figure out the following and would greatly appreciate some help:

I have an alert which's search query looks for a certain event within the last 30 days.

If the event of interest occurs, an alert shall be triggered. This is working fine.

Now, because I have to look for events in the last 30 days, I do not want the exact same event to trigger another alert. I do however, want to trigger another alert if the event occurs on say....a different host.

By my understanding, this can be acheived by the following

-Use trigger type "for each event"

-Suppress for 30 days: events with the field _time

When the event in question has triggered, we navigate to triggered alerts and select "show events" I want to be able to see only the very event that triggered that very same, recent alert. I want this because it helps the person who is investigating the issue to immediately see what asset is affected.

Is it possible to do this?

 

Labels (3)
Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎03-23-2022 12:38 PM

How often does the alert runs? Any specific reason for using last 30 days as timerange?

0 Karma
Reply

zapping575
Path Finder
‎03-24-2022 02:47 AM

Thats a really good question. I have the alert setup to run every hour.

The reason I am searching within the last 30 days is because I have some thresholds at hand for my alerts. Those thresholds are per host and per month.

It just occurred to me that if the threshold for an alert is zero (which it is for the alert in question) I might as well ignore the per-month rule.

So I could just search within the last hour instead while still suppressing previous alerts for the past hour and the field _time. This still isnt "perfect" but better than getting all events from the past 30 days listed in the alert results.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...