Splunk Cloud Platform

Alerting Manual

Define alert suppression groups to throttle sets of similar alerts

If your organization relies on a large number of alerts, you might find that you have collections of similar alerts that run over the same or very similar datasets. This can lead to situations where multiple alerts are being triggered frequently by the same set of data, producing a very high frequency of notifications, even when you have throttling rules set up for each alert.

You might manage this by uniting such alerts together into one large alert and applying throttling rules to it. This approach reduces the frequency of alert notifications. But it's also likely that this combined alert has poor search performance compared to the alerts that it replaces.

Instead, you can set up alert suppression groups for these sets of alerts. When a set of alerts share a suppression group, they are all throttled when one of them is triggered for the suppression period of the triggered alert. The triggered alert performs its alert actions, if it has any. The other alerts in the group don't perform their alert actions.

For example: You have an alert suppression group with five alerts. Each of these alerts has a different suppression period and a different alert action. If one alert from the group with an alert suppression period of 5 minutes and an email alert action is triggered, all of the alerts in the group are suppressed for 5 minutes. However, only one alert action happens: the email for the triggering alert.

Alerts belonging to different users cannot be included in the same suppression group.

Alert suppression group best practices

Alert suppression groups perform best when they are composed of alerts that have the same alert suppression period and set of alert actions. They should also share the same set of alert suppression fields, if they use suppression fields. This sharing of alert attributes helps to guarantee predictable behavior. You know that whenever an alert from the group is triggered, the rest of the alerts will be suppressed for the same amount of time, that the actions that take place are always the same, and that all of the alerts are triggered when one alert is triggered.

When alerts in a suppression group have different sets of suppression fields, you might find that multiple alerts within the group are triggered by different sets of data.

Create a suppression group

Prerequisites

Steps

  1. Go to the Searches, Reports, and Alerts listing page by selecting Settings > Searches, reports, and alerts.
  2. Locate an alert that you want to add to an alert suppression group and select Edit > Advanced Edit.
    The Type column indicates which saved searches in the list are configured as alerts. Select alerts that utilize throttling to suppress frequent alert notifications.
  3. On the Advanced Edit page for the alert, find the alert.suppress.group_name field and enter a name for the suppression group that this alert belongs to. Click Save.
  4. Repeat steps 2-3 for any other alerts in a suppression group with the first alert.
Last modified on 12 June, 2020
Throttle alerts   Set up alert actions

This documentation applies to the following versions of Splunk Cloud Platform: 9.2.2406 (latest FedRAMP release), 8.2.2112, 8.2.2202, 9.0.2205, 8.2.2201, 8.2.2203, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters