Alerting

How to set an alert to run every 5 minutes with an alert throttle set for 24 hours based on 2 fields?

howwie
New Member

I have set up an alert that runs every 5 minutes to check for certain logs. I wanted to throttle the output based on 2 fields, so I enabled the throttle for 24 hrs and put the values in separated by a comma in the "Suppress results containing field value" field.

However, it looks like my alert is not as accurate as it should be. The values in the "Suppress results containing field value", once separated by a comma, do they act as an AND condition or OR condition?

So it's basically an alert set to run every 5 minutes throttled by 24 hrs based on 2 fields, which is not working as expected.

0 Karma

woodcock
Esteemed Legend

It is AND logic.

0 Karma

bwlm
Path Finder

The field names that you enter separated by a comma, act as an "AND" operation in accordance with the Alerting Manual - Throttle Alert reference. For example, if your Alert search query summarized alert signature hits per host like the following fields to a table:

|table hostname, signature_id, signature_hit_time, signature_hit_count

If you set the Alert trigger as Per-result (For each result), enabled Throttle, and in the Suppress results containing field value added hostname, signature_id then the "Per-result" alert for that combination of "hostname AND signature_id" would be suppressed via Suppress triggering for time value. (in Splunk 7.2)

https://docs.splunk.com/Documentation/Splunk/latest/Alert/ThrottleAlerts

0 Karma

devinmclean
Path Finder

I am having the same issue, and I do not quite understand what jmallorquin is suggesting. Does anyone else have the same issue or another solution?

0 Karma

jmallorquin
Builder

Hi,

I had the same problem, and in my case i just create a filed to mix the other to fields and use it to the throttiling setting.

|eval throttling = field1.field2

Hope i help you

howwie
New Member

Great thanks, will give it a shot today.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...