Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

throttling fields

Michael
Contributor
‎05-23-2014 07:02 AM

I've used throttling in the past, but this feature must be new from one of the updates. It was simple before "don't trigger again after x time", period. But now it's asking for "Per result throttling fields" -- and I have not idea what that's asking for. Searching for it here results in tons of information on how to set alerts, and throttling, but doesn't say what this is...and it's apparently important as it won't let me use throttling without it!

I have a simple search:
source="/var/log/processes.log" | stats count as processes.log | search count < 10

My alert will trigger if this is true (number of events is greater than one). I want to run this every hour, but if a process is down, I don't want to come in on a Monday morning to 48 emails -- one a day will do. So I set the throttling to not trigger again for 24 hours. BUT, I don't know what a "throttling field" is.

Please enlighten!

Tags (1)
Reply

linu1988
Champion
‎05-23-2014 02:21 PM

I am not sure about the search . But processes.log will become your throttling field name. As once you receive it you don't want to get an alert until next 24 horus.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-23-2014 10:15 AM

I think you can specify a dummy field name - that will always be null. As a result, it won't trigger again for that time.

The idea is for example to have a host field and only be silent for hosts that have triggered in the past day but still throw an alert for a new host.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-01-2014 09:40 AM

Has your issue been solved?

0 Karma
Reply

Michael
Contributor
‎05-27-2014 10:09 AM

Thank you! I tried that before and it didn't work -- but after simplifying the alert to a simple check for the number of events being less than 10 (and taking out the "stats count..." and "search count..." cruft) it seems to be working dandy...

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...