topic Re: How to set an alert to run every 5 minutes with an alert throttle set for 24 hours based on 2 fields? in Alerting

How to set an alert to run every 5 minutes with an alert throttle set for 24 hours based on 2 fields?

howwie — Thu, 14 Apr 2016 06:07:39 GMT

I have set up an alert that runs every 5 minutes to check for certain logs. I wanted to throttle the output based on 2 fields, so I enabled the throttle for 24 hrs and put the values in separated by a comma in the "Suppress results containing field value" field.

However, it looks like my alert is not as accurate as it should be. The values in the "Suppress results containing field value", once separated by a comma, do they act as an AND condition or OR condition?

So it's basically an alert set to run every 5 minutes throttled by 24 hrs based on 2 fields, which is not working as expected.

Re: How to set an alert to run every 5 minutes with an alert throttle set for 24 hours based on 2 fields?

jmallorquin — Thu, 14 Apr 2016 12:56:21 GMT

Hi,

I had the same problem, and in my case i just create a filed to mix the other to fields and use it to the throttiling setting.

|eval throttling = field1.field2

Hope i help you

Re: How to set an alert to run every 5 minutes with an alert throttle set for 24 hours based on 2 fields?

howwie — Thu, 14 Apr 2016 16:17:09 GMT

Great thanks, will give it a shot today.

Re: How to set an alert to run every 5 minutes with an alert throttle set for 24 hours based on 2 fields?

devinmclean — Fri, 28 Oct 2016 17:15:58 GMT

I am having the same issue, and I do not quite understand what jmallorquin is suggesting. Does anyone else have the same issue or another solution?

Re: How to set an alert to run every 5 minutes with an alert throttle set for 24 hours based on 2 fields?

bwlm — Sat, 06 Apr 2019 06:33:25 GMT

The field names that you enter separated by a comma, act as an "AND" operation in accordance with the Alerting Manual - Throttle Alert reference. For example, if your Alert search query summarized alert signature hits per host like the following fields to a table:

|table hostname, signature_id, signature_hit_time, signature_hit_count

If you set the Alert trigger as Per-result (For each result), enabled Throttle, and in the Suppress results containing field value added hostname, signature_id then the "Per-result" alert for that combination of "hostname AND signature_id" would be suppressed via Suppress triggering for time value. (in Splunk 7.2)

https://docs.splunk.com/Documentation/Splunk/latest/Alert/ThrottleAlerts

Re: How to set an alert to run every 5 minutes with an alert throttle set for 24 hours based on 2 fields?

woodcock — Sun, 07 Apr 2019 15:03:36 GMT

It is AND logic.