How can I email just the first occurrence of a rep...

mtischler · ‎04-10-2018

We are using Splunk to monitor some endpoint protection software via the windows application event log. The problem is that the software generates the same event every time an endpoint is restarted and we are getting swamped with nuisance emails. Is there a way that we can limit the emails to just one for each unique event message? Can a lookup table of triggered alerts be used to inhibit the triggering of a previously alerted repeated event? Can a script be created to check the contents of a lookup table so that only unique events are emailed?

Our alert query is currently:
Search: sourcetype="wineventlog:applicatioin" SourceName=xxxxxxxxx Message="A new threat*"

Ideally I want one email for each unique Message and no subsequent emails for identical Messages.

Thank you for your help.

p_gurav · ‎04-10-2018

You can used something called throttling alert. Refer below document where you can specify field on which throttling is based on:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Alert/ThrottleAlerts

mtischler · ‎04-10-2018

Thank you. I am reviewing this documentation now. Can I set the throttle time to 1 year? I would like to throttle on Sha256 signature. I cannot throttle by the Message because I need an email notification in the event of another new threat message.

How can I email just the first occurrence of a repeated identical event?

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability