All Apps and Add-ons

How can I throttle the alerts by multiple field?

victorxbox
New Member

Dear all,

How can I throttle the alerts by multiple field?
For example, I would like to throttle the alerts if and only if both "src_ip" "dst_IP" "msg" are matched in log1 and log3

log1. src_ip=1.1.1.1 dst_ip=2.2.2.2 msg=attack1
log2. src_ip=1.1.1.1 dst_ip=3.3.3.3 msg=attack1
log3. src_ip=1.1.1.1 dst_ip=2.2.2.2 msg=attack1
log4. src_ip=1.1.1.1 dst_ip=2.2.2.2 msg=attack2

My expected alert results are
alert1. src_ip=1.1.1.1 dst_ip=2.2.2.2 msg=attack1
alert2. src_ip=1.1.1.1 dst_ip=3.3.3.3 msg=attack1
alert3. src_ip=1.1.1.1 dst_ip=2.2.2.2 msg=attack2

BR
Victor

Tags (1)
0 Karma

datorsmurf
New Member

What I did to accomplish my variant of the starting question was to output an eval-field from the search that I used as throttle field.

| eval throttleId = a_field_from_the_search + "_" + another_field_in_the_search

Throttle expression was then: throttleId

The eval-field could use just about any logic, the threadstarter would possibly use the replace(X,Y,Z) function to strip out the log number.

0 Karma

markthompson
Builder

Hi Victor,
When you create your alert, you should use an AND operator in your search string, for example I would use an IF statement to set a field, e.g. SendAlert, to a boolean value of 0 or 1, then from the results trigger an alert if SendAlert is equal to 1.

I hope this helps, if not, let me know and I'll come up with something else.

0 Karma

victorxbox
New Member

Hello aakwah,

Under "action option" in the alert item, can i put more than one field in "suppress results containing field value"?

BR
Victor

0 Karma

aakwah
Builder

Hello,

Could you please elaborate more, as per my understanding you could make use of logical operator OR as per the following query:

(source=log1 src_ip=1.1.1.1) OR (source=log3 dst_ip="2.2.2.2")

Regards

0 Karma

markthompson
Builder

It would actually be the AND logical operator, as stated in the question, if they both match.

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...