We are using Splunk to monitor some endpoint protection software via the windows application event log. The problem is that the software generates the same event every time an endpoint is restarted and we are getting swamped with nuisance emails. Is there a way that we can limit the emails to just one for each unique event message? Can a lookup table of triggered alerts be used to inhibit the triggering of a previously alerted repeated event? Can a script be created to check the contents of a lookup table so that only unique events are emailed?
Our alert query is currently:
Search: sourcetype="wineventlog:applicatioin" SourceName=xxxxxxxxx Message="A new threat*"
Ideally I want one email for each unique Message and no subsequent emails for identical Messages.
Thank you for your help.
You can used something called throttling
alert. Refer below document where you can specify field on which throttling is based on:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Alert/ThrottleAlerts
Thank you. I am reviewing this documentation now. Can I set the throttle time to 1 year? I would like to throttle on Sha256 signature. I cannot throttle by the Message because I need an email notification in the event of another new threat message.