• State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 22 subscribers
  • Views 491 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Trying to find a way to limit of email alerts

papaquette

Hi,

so I'm trying to implement alerting when users are accessing files from a folder and as you know this can generate a lot of alerts.  I'm trying to see if I can use state variables or user defined groups to use as a flag to limit the number of emails sent.

The kind of result I'm looking for:

1. Get an email on the initial access.

2. Not get additional emails until some time passes, or until the number of access event don't reach a certain count...

Wondering if any of you have had any success putting something like that in place.  Trying to use the Correlation Time section in the rule doesn't really give the desired results.

Thanks!

  • 0 in reply to curtisi

    Yes, that's kind of a way I was thinking of doing it, however so far I have not been successful.  I created a rule that watches if the file monitoring rule fires 10 times in 30 seconds, and if it triggers it adds a specific value to a user defined group.  Then I modified my file monitoring rule to fire if that specific value is not in the user defined group.  The threshold rule works well and sets the flag correctly in the user defined group, but that doesn't make the file monitoring rule to stop firing.  The only way I can explain this is if this sort of condition in a rule doesn't work:

    <Text constant> NOT IN <user defined groupe>

    So still searching.

    Thanks.

  • 0

    I was able to use Correlation Time in a satisfactory manner for my issue, but I will keep in mind the use of user-defined groups to stop a rule from triggering.

    The problem with that solution though was that the condition to stop the rule from being triggered doesn't exist fast enough to prevent being spammed with alerts.  For example, in the case where I copy a bunch of files to a monitored folder at once, all those events will trigger the rule before the value is added to the user-defined group to prevent further alerts, so I still gets spammed.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.