Splunk IT Service Intelligence

ITSI Duplicate Alerts (Action)

felixwawolangi1
New Member

Hi,

I'm trying to configure a NEAT that would send one email / raise one SNOW incident for each episodes.

I tried a few different Action Rules:

  • Number of events in episode >= 1 --> this would send emails for every notable events instead of one for the episode, and will continue sending emails until the episode breaks
  • Number of events in episode == 1 --> this does not trigger emails, since the episodes would typically have 3-4 events

I have a different NEAP for a different type of alert where it would raise the incident correctly after the 3rd (same) event e.g. after 15 minutes at 5 mins search interval - by using:
- Number of events in episode == 3

In this case though, the events are generated all at once, and there could be 1-8 events from different environments that I'm aggregating to one episode.

Regards

Labels (1)
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...