Use Case Implementation Process
Splunk Query development - process control alert
A Splunk engineer recently reached out to me for a one-off engagement to create a Splunk alert based on particular combination of events. The data was a bit complex, as were the particular business requirements, and he wasn't sure how to implement the use case.
We adopted a collaborative approach and created a solution based on sample data. With our sample data, we had a very simple data set that we could easily understand, and even added various test cases in the sample data to test the query.
Another key to this solution was the use of the "for each result" alert criteria in combination with the alert throttle feature.