Alerting

How to write throttle alert?

nanachu
Path Finder

Hi,all

I have a question about how to write throttle alert.

I want to specify two fields.

But, I can not find document.

my field is "name" and "region".

I think name AND region OR name, region

If you know that, please help me.

Thank you. alt text

0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@nanachu

I have a workaround. Can you please update your search by adding a new field?

YOUR_SEARCH | eval throttle_field = name."_".region

Use throttle_field filed as suppress results containing field value.

Can you please try this?

View solution in original post

0 Karma

snigdhasaxena
Communicator

@nanachu change trigger alert when to "once per result" and this will enable field "Per result throttling field" and there you can put your field value pairs for throttling

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@nanachu

I have a workaround. Can you please update your search by adding a new field?

YOUR_SEARCH | eval throttle_field = name."_".region

Use throttle_field filed as suppress results containing field value.

Can you please try this?

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@nanachu

Does this answer solved your issue?? If yes then can you please accept this answer to close this question?? If No please let us know so we can help you further on it.

Happy Splunking

0 Karma

nanachu
Path Finder

Thank you for helping me.

I can understand I have to make new field.
But, I have a question.
What is it means (."_".)?
it means instead of AND?

0 Karma

jawaharas
Motivator

It's just a character used concatenation of two strings. You can use any other letters or symbols. It's just for better readability.

nanachu
Path Finder

Thank you for helping me.

I'm sorry but I don't understand much.
Could you help me?

I want to suppress name AND region.
for example,
name=A ,region=singapore

if I use

|eval throttle_field = name." ".region

I thought that is Asingapore.

I want to suppress the same name and region.
(in this case, A and singapore is trigger)

Can I use ."_".?

If my English is bad, I'm really sorry.

Regards,

0 Karma

jawaharas
Motivator

@nanachu You are doing good.

 <YOUR_SEARCH> | eval throttle_field = name."_".region

It's better to use underscore, rather than a space for this purpose. After you modifying your query as mentioned above, just add the new field name - throttle_field in the
'Suppress results containing field value' input box in the 'Create Alert' configuration.

nanachu
Path Finder

Thank you for your kind answer.

I can understand!

Thank you.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@nanachu

Yes, you can use _.

As per your requirement throttling should be on name=A and region=singapore.

Means if any events arrive with the same field value then it should only consider if the duration between last occurrence and present occurrence is more than the defined throttle period.

here we have provided throttle_field which is representing as throttling field with required values A_singapore.

nanachu
Path Finder

Thank you for your kind answer.
I understand so much.

Thank you.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...