- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- How can I stop repeated alerts?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I stop repeated alerts?
Dear all,
How can I stop repeated alerts? How can I only send one alert for the same type of events in a certain period of time?
Many thanks
BR
Victor
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear All,
Thanks for all of your replies. Maybe I further elaborate my problem.
I would like to use Splunk to replace the log aggregation feature that I am now using in ArcSight.
Below is the example of the log aggregation in Arcsight
In ArcSight, multiple fields were selected as the aggregated items which are "src_ip", "dst_ip" and "attack_name".
Once there is an attack log from the device. For example,
src_ip=1.1.1.1 dst=2.2.2.2 attack_name=brute_force
The arcsight will trigger an alert and send an email notification
When there is an other attack log with the same "src_ip", "dst_ip" and "attack_name"
src_ip=1.1.1.1 dst=2.2.2.2 attack_name=brute_force
The arcsight WILL NOT trigger any alert and email notification
But if one or more of the fields in the attack log are different.
A new alert and email notification will be triggered .
Can I build the similar logic in Splunk?
Many thanks
Victor
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi victor,
I do not know if this will help you, but it's like this I proceeded to manage my alerts.
• For the resolution of your of your problem if this is the case the following steps:
1- go to settings,
2- then pick Searches, reports, and alerts
3- check the Schedule this search option
4- look Alert tab and check the condition and choose the one you want and Alert Mode (choose the corresponding one)
5- Finally check Throttling (to limit the flow of alert)
Test and let me know if it works.
please forgive my english.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Run a search and save as it alert .
Then go to Settings --> Searches ,Reports , and Alerts
Click to the Alert that you want it stop to trigger . In the opened form , check Schedule this search under Schedule and alert .
Then check After triggering the alert , don't trigger it again for that is under Throttling in drop down .
For alert sending check Enable Send email in section Alert actions and fill the fields which are there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use Alert Throttling to stop an alert to be fired again for certain time. See this
http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Aboutalerts (search for word Throttling)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Set those three fields as the throttling fields in your Splunk alert. If all three are equal, Splunk will remain quiet. If at least one is different, Splunk will let you know.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Seomesoni
Yes, I have tried throttle and it does work for one field. But how if I would like throttle for multiple fields?
That's mean either one of the fields does not match will trigger a new alert. How can splunk cater this problem?
Many thanks
BR
Victor
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is your alert definition? Could you please explain how you're currently using multiple fields to trigger alert?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would like to use Splunk to replace the log aggregation feature that I am now using in ArcSight.
Below is the example of the log aggregation in Arcsight
In ArcSight, multiple fields were selected as the aggregated items which are "src_ip", "dst_ip" and "attack_name".
Once there is an attack log from the device. For example,
src_ip=1.1.1.1 dst=2.2.2.2 attack_name=brute_force
The arcsight will trigger an alert and send an email notification
When there is an other attack log with the same "src_ip", "dst_ip" and "attack_name"
src_ip=1.1.1.1 dst=2.2.2.2 attack_name=brute_force
The arcsight WILL NOT trigger any alert and email notification
But if one or more of the fields in the attack log are different.
A new alert and email notification will be triggered .
Can I build the similar logic in Splunk?
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
