Dear all,
How can I stop repeated alerts? How can I only send one alert for the same type of events in a certain period of time?
Many thanks
BR
Victor
Dear All,
Thanks for all of your replies. Maybe I further elaborate my problem.
I would like to use Splunk to replace the log aggregation feature that I am now using in ArcSight.
Below is the example of the log aggregation in Arcsight
In ArcSight, multiple fields were selected as the aggregated items which are "src_ip", "dst_ip" and "attack_name".
Once there is an attack log from the device. For example,
src_ip=1.1.1.1 dst=2.2.2.2 attack_name=brute_force
The arcsight will trigger an alert and send an email notification
When there is an other attack log with the same "src_ip", "dst_ip" and "attack_name"
src_ip=1.1.1.1 dst=2.2.2.2 attack_name=brute_force
The arcsight WILL NOT trigger any alert and email notification
But if one or more of the fields in the attack log are different.
A new alert and email notification will be triggered .
Can I build the similar logic in Splunk?
Many thanks
Victor
hi victor,
I do not know if this will help you, but it's like this I proceeded to manage my alerts.
• For the resolution of your of your problem if this is the case the following steps:
1- go to settings
,
2- then pick Searches, reports, and alerts
3- check the Schedule this search
option
4- look Alert
tab and check the condition
and choose the one you want and Alert Mode
(choose the corresponding one)
5- Finally check Throttling
(to limit the flow of alert)
Test and let me know if it works.
please forgive my english.
Run a search and save as it alert .
Then go to Settings --> Searches ,Reports , and Alerts
Click to the Alert that you want it stop to trigger . In the opened form , check Schedule this search under Schedule and alert .
Then check After triggering the alert , don't trigger it again for that is under Throttling in drop down .
For alert sending check Enable Send email in section Alert actions and fill the fields which are there.
You can use Alert Throttling to stop an alert to be fired again for certain time. See this
http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Aboutalerts (search for word Throttling)
Set those three fields as the throttling fields in your Splunk alert. If all three are equal, Splunk will remain quiet. If at least one is different, Splunk will let you know.
Dear Seomesoni
Yes, I have tried throttle and it does work for one field. But how if I would like throttle for multiple fields?
That's mean either one of the fields does not match will trigger a new alert. How can splunk cater this problem?
Many thanks
BR
Victor
What is your alert definition? Could you please explain how you're currently using multiple fields to trigger alert?
I would like to use Splunk to replace the log aggregation feature that I am now using in ArcSight.
Below is the example of the log aggregation in Arcsight
In ArcSight, multiple fields were selected as the aggregated items which are "src_ip", "dst_ip" and "attack_name".
Once there is an attack log from the device. For example,
src_ip=1.1.1.1 dst=2.2.2.2 attack_name=brute_force
The arcsight will trigger an alert and send an email notification
When there is an other attack log with the same "src_ip", "dst_ip" and "attack_name"
src_ip=1.1.1.1 dst=2.2.2.2 attack_name=brute_force
The arcsight WILL NOT trigger any alert and email notification
But if one or more of the fields in the attack log are different.
A new alert and email notification will be triggered .
Can I build the similar logic in Splunk?