Alerting

How to set an alert to run every 5 minutes with an alert throttle set for 24 hours based on 2 fields?

howwie
New Member

I have set up an alert that runs every 5 minutes to check for certain logs. I wanted to throttle the output based on 2 fields, so I enabled the throttle for 24 hrs and put the values in separated by a comma in the "Suppress results containing field value" field.

However, it looks like my alert is not as accurate as it should be. The values in the "Suppress results containing field value", once separated by a comma, do they act as an AND condition or OR condition?

So it's basically an alert set to run every 5 minutes throttled by 24 hrs based on 2 fields, which is not working as expected.

0 Karma

woodcock
Esteemed Legend

It is AND logic.

0 Karma

bwlm
Path Finder

The field names that you enter separated by a comma, act as an "AND" operation in accordance with the Alerting Manual - Throttle Alert reference. For example, if your Alert search query summarized alert signature hits per host like the following fields to a table:

|table hostname, signature_id, signature_hit_time, signature_hit_count

If you set the Alert trigger as Per-result (For each result), enabled Throttle, and in the Suppress results containing field value added hostname, signature_id then the "Per-result" alert for that combination of "hostname AND signature_id" would be suppressed via Suppress triggering for time value. (in Splunk 7.2)

https://docs.splunk.com/Documentation/Splunk/latest/Alert/ThrottleAlerts

0 Karma

devinmclean
Path Finder

I am having the same issue, and I do not quite understand what jmallorquin is suggesting. Does anyone else have the same issue or another solution?

0 Karma

jmallorquin
Builder

Hi,

I had the same problem, and in my case i just create a filed to mix the other to fields and use it to the throttiling setting.

|eval throttling = field1.field2

Hope i help you

howwie
New Member

Great thanks, will give it a shot today.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...