- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Re: How to set an alert to run every 5 minutes wit...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to set an alert to run every 5 minutes with an alert throttle set for 24 hours based on 2 fields?
I have set up an alert that runs every 5 minutes to check for certain logs. I wanted to throttle the output based on 2 fields, so I enabled the throttle for 24 hrs and put the values in separated by a comma in the "Suppress results containing field value" field.
However, it looks like my alert is not as accurate as it should be. The values in the "Suppress results containing field value", once separated by a comma, do they act as an AND condition or OR condition?
So it's basically an alert set to run every 5 minutes throttled by 24 hrs based on 2 fields, which is not working as expected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is AND logic.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The field names that you enter separated by a comma, act as an "AND" operation in accordance with the Alerting Manual - Throttle Alert reference. For example, if your Alert search query summarized alert signature hits per host like the following fields to a table:
|table hostname, signature_id, signature_hit_time, signature_hit_count
If you set the Alert trigger as Per-result (For each result), enabled Throttle, and in the Suppress results containing field value added hostname, signature_id then the "Per-result" alert for that combination of "hostname AND signature_id" would be suppressed via Suppress triggering for time value. (in Splunk 7.2)
https://docs.splunk.com/Documentation/Splunk/latest/Alert/ThrottleAlerts
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having the same issue, and I do not quite understand what jmallorquin is suggesting. Does anyone else have the same issue or another solution?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I had the same problem, and in my case i just create a filed to mix the other to fields and use it to the throttiling setting.
|eval throttling = field1.field2
Hope i help you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great thanks, will give it a shot today.
Observability | How to Think About Instrumentation Overhead (White Paper)
Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)
The Great Resilience Quest: 10th Leaderboard Update
