Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to set an alert to run every 5 minutes with an alert throttle set for 24 hours based on 2 fields?

howwie
New Member
‎04-13-2016 11:07 PM

I have set up an alert that runs every 5 minutes to check for certain logs. I wanted to throttle the output based on 2 fields, so I enabled the throttle for 24 hrs and put the values in separated by a comma in the "Suppress results containing field value" field.

However, it looks like my alert is not as accurate as it should be. The values in the "Suppress results containing field value", once separated by a comma, do they act as an AND condition or OR condition?

So it's basically an alert set to run every 5 minutes throttled by 24 hrs based on 2 fields, which is not working as expected.

0 Karma
Reply

woodcock
Esteemed Legend
‎04-07-2019 08:03 AM

It is AND logic.

0 Karma
Reply

bwlm
Path Finder
‎04-05-2019 11:33 PM

The field names that you enter separated by a comma, act as an "AND" operation in accordance with the Alerting Manual - Throttle Alert reference. For example, if your Alert search query summarized alert signature hits per host like the following fields to a table:

|table hostname, signature_id, signature_hit_time, signature_hit_count

If you set the Alert trigger as Per-result (For each result), enabled Throttle, and in the Suppress results containing field value added hostname, signature_id then the "Per-result" alert for that combination of "hostname AND signature_id" would be suppressed via Suppress triggering for time value. (in Splunk 7.2)

https://docs.splunk.com/Documentation/Splunk/latest/Alert/ThrottleAlerts

0 Karma
Reply

devinmclean
Path Finder
‎10-28-2016 10:15 AM

I am having the same issue, and I do not quite understand what jmallorquin is suggesting. Does anyone else have the same issue or another solution?

0 Karma
Reply

jmallorquin
Builder
‎04-14-2016 05:56 AM

Hi,

I had the same problem, and in my case i just create a filed to mix the other to fields and use it to the throttiling setting.

|eval throttling = field1.field2

Hope i help you

Reply

howwie
New Member
‎04-14-2016 09:17 AM

Great thanks, will give it a shot today.

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...