Define alert suppression groups to throttle sets of similar alerts
If your organization relies on a large number of alerts, you might find that you have collections of similar alerts that run over the same or very similar datasets. This can lead to situations where multiple alerts are being triggered frequently by the same set of data, producing a very high frequency of notifications, even when you have throttling rules set up for each alert.
You might manage this by uniting such alerts together into one large alert and applying throttling rules to it. This approach reduces the frequency of alert notifications. But it's also likely that this combined alert has poor search performance compared to the alerts that it replaces.
Instead, you can set up alert suppression groups for these sets of alerts. When a set of alerts share a suppression group, they are all throttled when one of them is triggered for the suppression period of the triggered alert. The triggered alert performs its alert actions, if it has any. The other alerts in the group don't perform their alert actions.
For example: You have an alert suppression group with five alerts. Each of these alerts has a different suppression period and a different alert action. If one alert from the group with an alert suppression period of 5 minutes and an email alert action is triggered, all of the alerts in the group are suppressed for 5 minutes. However, only one alert action happens: the email for the triggering alert.
Alerts belonging to different users cannot be included in the same suppression group.
Alert suppression group best practices
Alert suppression groups perform best when they are composed of alerts that have the same alert suppression period and set of alert actions. They should also share the same set of alert suppression fields, if they use suppression fields. This sharing of alert attributes helps to guarantee predictable behavior. You know that whenever an alert from the group is triggered, the rest of the alerts will be suppressed for the same amount of time, that the actions that take place are always the same, and that all of the alerts are triggered when one alert is triggered.
When alerts in a suppression group have different sets of suppression fields, you might find that multiple alerts within the group are triggered by different sets of data.
Create a suppression group
- Read Configure alert trigger conditions.
- Read Throttle alerts to learn how to set up alert throttling for individual alerts.
- Go to the Searches, Reports, and Alerts listing page by selecting Settings > Searches, reports, and alerts.
- Locate an alert that you want to add to an alert suppression group and select Edit > Advanced Edit.
The Type column indicates which saved searches in the list are configured as alerts. Select alerts that utilize throttling to suppress frequent alert notifications.
- On the Advanced Edit page for the alert, find the alert.suppress.group_name field and enter a name for the suppression group that this alert belongs to. Click Save.
- Repeat steps 2-3 for any other alerts in a suppression group with the first alert.
Set up alert actions
This documentation applies to the following versions of Splunk® Enterprise: 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.2.0, 8.2.1, 8.2.2, 8.1.0