https://community.splunk.com/t5/Alerting/How-to-write-throttle-alert/m-p/467336#M8287 <P>Thank you for helping me.</P> <P>I can understand I have to make new field.<BR /> But, I have a question.<BR /> What is it means (."_".)?<BR /> it means instead of AND?</P> Tue, 03 Sep 2019 04:54:35 GMT nanachu 2019-09-03T04:54:35Z https://community.splunk.com/t5/Alerting/How-to-write-throttle-alert/m-p/467334#M8285 <P>Hi,all</P> <P>I have a question about how to write throttle alert.</P> <P>I want to specify two fields.</P> <P>But, I can not find document.</P> <P>my field is "name" and "region".</P> <P>I think name AND region OR name, region</P> <P>If you know that, please help me.</P> <P>Thank you. <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7603i87B2BA96B89438E3/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Tue, 03 Sep 2019 00:34:38 GMT https://community.splunk.com/t5/Alerting/How-to-write-throttle-alert/m-p/467334#M8285 nanachu 2019-09-03T00:34:38Z https://community.splunk.com/t5/Alerting/How-to-write-throttle-alert/m-p/467335#M8286 <P>@nanachu </P> <P>I have a workaround. Can you please update your search by adding a new field?</P> <PRE><CODE>YOUR_SEARCH | eval throttle_field = name."_".region </CODE></PRE> <P>Use <CODE>throttle_field</CODE> filed as <CODE>suppress results containing field value</CODE>.</P> <P>Can you please try this?</P> Tue, 03 Sep 2019 04:50:04 GMT https://community.splunk.com/t5/Alerting/How-to-write-throttle-alert/m-p/467335#M8286 kamlesh_vaghela 2019-09-03T04:50:04Z https://community.splunk.com/t5/Alerting/How-to-write-throttle-alert/m-p/467336#M8287 <P>Thank you for helping me.</P> <P>I can understand I have to make new field.<BR /> But, I have a question.<BR /> What is it means (."_".)?<BR /> it means instead of AND?</P> Tue, 03 Sep 2019 04:54:35 GMT https://community.splunk.com/t5/Alerting/How-to-write-throttle-alert/m-p/467336#M8287 nanachu 2019-09-03T04:54:35Z https://community.splunk.com/t5/Alerting/How-to-write-throttle-alert/m-p/467337#M8288 <P>It's just a character used concatenation of two strings. You can use any other letters or symbols. It's just for better readability.</P> Tue, 03 Sep 2019 05:24:41 GMT https://community.splunk.com/t5/Alerting/How-to-write-throttle-alert/m-p/467337#M8288 jawaharas 2019-09-03T05:24:41Z https://community.splunk.com/t5/Alerting/How-to-write-throttle-alert/m-p/467338#M8289 <P>Thank you for helping me.</P> <P>I'm sorry but I don't understand much.<BR /> Could you help me?</P> <P>I want to suppress name AND region.<BR /> for example, <BR /> name=A ,region=singapore</P> <P>if I use </P> <PRE><CODE>|eval throttle_field = name." ".region </CODE></PRE> <P>I thought that is Asingapore.</P> <P>I want to suppress the same name and region.<BR /> (in this case, A and singapore is trigger)</P> <P>Can I use ."_".?</P> <P>If my English is bad, I'm really sorry.</P> <P>Regards,</P> Tue, 03 Sep 2019 06:14:20 GMT https://community.splunk.com/t5/Alerting/How-to-write-throttle-alert/m-p/467338#M8289 nanachu 2019-09-03T06:14:20Z https://community.splunk.com/t5/Alerting/How-to-write-throttle-alert/m-p/467339#M8290 <P>@nanachu</P> <P>Yes, you can use <CODE>_</CODE>.</P> <P>As per your requirement throttling should be on <CODE>name=A</CODE> and <CODE>region=singapore</CODE>. </P> <P>Means if any events arrive with the same field value then it should only consider if the duration between last occurrence and present occurrence is more than the defined throttle period. </P> <P>here we have provided <CODE>throttle_field</CODE> which is representing as throttling field with required values <CODE>A_singapore</CODE>.</P> Tue, 03 Sep 2019 06:19:37 GMT https://community.splunk.com/t5/Alerting/How-to-write-throttle-alert/m-p/467339#M8290 kamlesh_vaghela 2019-09-03T06:19:37Z https://community.splunk.com/t5/Alerting/How-to-write-throttle-alert/m-p/467340#M8291 <P>@nanachu You are doing good.</P> <PRE><CODE> &lt;YOUR_SEARCH&gt; | eval throttle_field = name."_".region </CODE></PRE> <P>It's better to use underscore, rather than a space for this purpose. After you modifying your query as mentioned above, just add the new field name - <CODE>throttle_field</CODE> in the <BR /> <STRONG>'Suppress results containing field value'</STRONG> input box in the 'Create Alert' configuration.</P> Tue, 03 Sep 2019 06:22:36 GMT https://community.splunk.com/t5/Alerting/How-to-write-throttle-alert/m-p/467340#M8291 jawaharas 2019-09-03T06:22:36Z https://community.splunk.com/t5/Alerting/How-to-write-throttle-alert/m-p/467341#M8292 <P>Thank you for your kind answer.<BR /> I understand so much.</P> <P>Thank you.</P> Tue, 03 Sep 2019 06:27:55 GMT https://community.splunk.com/t5/Alerting/How-to-write-throttle-alert/m-p/467341#M8292 nanachu 2019-09-03T06:27:55Z https://community.splunk.com/t5/Alerting/How-to-write-throttle-alert/m-p/467342#M8293 <P>Thank you for your kind answer.</P> <P>I can understand!</P> <P>Thank you.</P> Tue, 03 Sep 2019 06:28:42 GMT https://community.splunk.com/t5/Alerting/How-to-write-throttle-alert/m-p/467342#M8293 nanachu 2019-09-03T06:28:42Z https://community.splunk.com/t5/Alerting/How-to-write-throttle-alert/m-p/467343#M8294 <P>@nanachu change trigger alert when to "once per result" and this will enable field "Per result throttling field" and there you can put your field value pairs for throttling</P> Tue, 03 Sep 2019 06:47:21 GMT https://community.splunk.com/t5/Alerting/How-to-write-throttle-alert/m-p/467343#M8294 snigdhasaxena 2019-09-03T06:47:21Z https://community.splunk.com/t5/Alerting/How-to-write-throttle-alert/m-p/467344#M8295 <P>@nanachu</P> <P>Does this answer solved your issue?? If yes then can you please accept this answer to close this question?? If No please let us know so we can help you further on it. </P> <P><STRONG>Happy Splunking</STRONG></P> Tue, 03 Sep 2019 07:06:29 GMT https://community.splunk.com/t5/Alerting/How-to-write-throttle-alert/m-p/467344#M8295 kamlesh_vaghela 2019-09-03T07:06:29Z