Alerting

How to write throttle alert?

nanachu
Path Finder

Hi,all

I have a question about how to write throttle alert.

I want to specify two fields.

But, I can not find document.

my field is "name" and "region".

I think name AND region OR name, region

If you know that, please help me.

Thank you. alt text

0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@nanachu

I have a workaround. Can you please update your search by adding a new field?

YOUR_SEARCH | eval throttle_field = name."_".region

Use throttle_field filed as suppress results containing field value.

Can you please try this?

View solution in original post

0 Karma

snigdhasaxena
Communicator

@nanachu change trigger alert when to "once per result" and this will enable field "Per result throttling field" and there you can put your field value pairs for throttling

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@nanachu

I have a workaround. Can you please update your search by adding a new field?

YOUR_SEARCH | eval throttle_field = name."_".region

Use throttle_field filed as suppress results containing field value.

Can you please try this?

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@nanachu

Does this answer solved your issue?? If yes then can you please accept this answer to close this question?? If No please let us know so we can help you further on it.

Happy Splunking

0 Karma

nanachu
Path Finder

Thank you for helping me.

I can understand I have to make new field.
But, I have a question.
What is it means (."_".)?
it means instead of AND?

0 Karma

jawaharas
Motivator

It's just a character used concatenation of two strings. You can use any other letters or symbols. It's just for better readability.

nanachu
Path Finder

Thank you for helping me.

I'm sorry but I don't understand much.
Could you help me?

I want to suppress name AND region.
for example,
name=A ,region=singapore

if I use

|eval throttle_field = name." ".region

I thought that is Asingapore.

I want to suppress the same name and region.
(in this case, A and singapore is trigger)

Can I use ."_".?

If my English is bad, I'm really sorry.

Regards,

0 Karma

jawaharas
Motivator

@nanachu You are doing good.

 <YOUR_SEARCH> | eval throttle_field = name."_".region

It's better to use underscore, rather than a space for this purpose. After you modifying your query as mentioned above, just add the new field name - throttle_field in the
'Suppress results containing field value' input box in the 'Create Alert' configuration.

nanachu
Path Finder

Thank you for your kind answer.

I can understand!

Thank you.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@nanachu

Yes, you can use _.

As per your requirement throttling should be on name=A and region=singapore.

Means if any events arrive with the same field value then it should only consider if the duration between last occurrence and present occurrence is more than the defined throttle period.

here we have provided throttle_field which is representing as throttling field with required values A_singapore.

nanachu
Path Finder

Thank you for your kind answer.
I understand so much.

Thank you.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...