Alerting

How to throttle an alert using more than one field?

yemyslf
Path Finder

I am trying to setup a throttle on an alert for multiple fields. In the example below, I only want to throttle alerts that contain the same user and url so I should get an alert for all the events except Event 3. I know I could enter url or user in the "Suppress results containing field value" field but then it would suppress other events for that user or url when I only one to suppress the combination of the two. I found another answer where the answer was to use | eval throttle= user.url in the search and then set "throttle" as the alert suppression field. I do see the throttle as a field which has the combined fields, but it's the alert is responding like its not a valid field as I only get one alert until the throttle threshold is met.

Any ideas?

Event 1
user=Mickey@disney.com
url=www.disney.com

Event 2 
user=Mickey@disney.com
url=www.starwars.com

Event 3
user=Mickey@disney.com
url=www.disney.com

Event  4
user=Donald@disney.com
url=www.starwars.com
0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

If you want to turn off alerts for the same result change the Alert mode to Once per result which will enable a field called Per result throttling fields which is where you put user and url.

Per this page http://docs.splunk.com/Documentation/Splunk/6.1.1/Alert/Defineper-resultalerts#Set_up_throttling_for..., "The Suppress results with field value field accepts comma-delimited lists of multiple items."


Here's another strategy - a csv file (called myAlertThrottles.csv) that suppresses alerts, in this example for one hour.

your search that produces values to alert on 
| table user url 

| rename COMMENT as "This section calculates when to release this throttle, if it turns out to be a new alert."
| addinfo
| eval releasethrottle = relative_time (info_max_time,"+1h")

| rename COMMENT as "This section inputs the old set of throttles and rolls them together with the new ones."
| inputcsv append=t myAlertThrottles.csv
| stats min(info_max_time) as info_max_time, min(releasethrottle) as releasethrottle, max(releasethrottle) as newthrottle by user url


| rename COMMENT as "This section writes out the active and new throttles."
| appendpipe [| where releasethrottle > info_max_time | table user url releasethrottle | outputcsv append=f myAlertThrottles.csv| where false()]

| rename COMMENT as "Finally, we kill any records that are not new, and send the alert."
| where (releasethrottle==newthrottle) 
| table user url 

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

If you want to turn off alerts for the same result change the Alert mode to Once per result which will enable a field called Per result throttling fields which is where you put user and url.

Per this page http://docs.splunk.com/Documentation/Splunk/6.1.1/Alert/Defineper-resultalerts#Set_up_throttling_for..., "The Suppress results with field value field accepts comma-delimited lists of multiple items."


Here's another strategy - a csv file (called myAlertThrottles.csv) that suppresses alerts, in this example for one hour.

your search that produces values to alert on 
| table user url 

| rename COMMENT as "This section calculates when to release this throttle, if it turns out to be a new alert."
| addinfo
| eval releasethrottle = relative_time (info_max_time,"+1h")

| rename COMMENT as "This section inputs the old set of throttles and rolls them together with the new ones."
| inputcsv append=t myAlertThrottles.csv
| stats min(info_max_time) as info_max_time, min(releasethrottle) as releasethrottle, max(releasethrottle) as newthrottle by user url


| rename COMMENT as "This section writes out the active and new throttles."
| appendpipe [| where releasethrottle > info_max_time | table user url releasethrottle | outputcsv append=f myAlertThrottles.csv| where false()]

| rename COMMENT as "Finally, we kill any records that are not new, and send the alert."
| where (releasethrottle==newthrottle) 
| table user url 

yemyslf
Path Finder

Thanks for the response. Sorry for not responding sooner as I've been tied up with other projects. I'll give this a shot and report back.

So I take it combining the fields as I had done using the eval statement and using that field as the throttle is not possible?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

You should be able to do this using the once per result option, per instructions in @woodcock's answer here -

https://answers.splunk.com/answers/295856/throttle-alerts-based-on-field-value.html

Updated this answer using a minor modification of his wording.

0 Karma

yemyslf
Path Finder

Thanks, I was aware of that field but for some reason, I thought separating the different fields with a comma would sever as an OR instead of AND.

So I ended up just entering user,url in the "Suppress results containing field value" box. This supressed events where the User AND URL were the same.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...