@nanachu

Does this answer solved your issue?? If yes then can you please accept this answer to close this question?? If No please let us know so we can help you further on it.

Happy Splunking

Thank you for helping me.

I can understand I have to make new field.
But, I have a question.
What is it means (."_".)?
it means instead of AND?

It's just a character used concatenation of two strings. You can use any other letters or symbols. It's just for better readability.

Thank you for helping me.

I'm sorry but I don't understand much.
Could you help me?

I want to suppress name AND region.
for example,
name=A ,region=singapore

if I use

|eval throttle_field = name." ".region

I thought that is Asingapore.

I want to suppress the same name and region.
(in this case, A and singapore is trigger)

Can I use ."_".?

If my English is bad, I'm really sorry.

Regards,

@nanachu You are doing good.

 <YOUR_SEARCH> | eval throttle_field = name."_".region

It's better to use underscore, rather than a space for this purpose. After you modifying your query as mentioned above, just add the new field name - throttle_field in the
'Suppress results containing field value' input box in the 'Create Alert' configuration.

Thank you for your kind answer.

I can understand!

Thank you.

@nanachu

Yes, you can use _.

As per your requirement throttling should be on name=A and region=singapore.

Means if any events arrive with the same field value then it should only consider if the duration between last occurrence and present occurrence is more than the defined throttle period.

here we have provided throttle_field which is representing as throttling field with required values A_singapore.

Thank you for your kind answer.
I understand so much.

Thank you.