Re: Alert Throttle Not Working

griffins · ‎07-23-2023

Hi folks,

I have a very simple alert set up that triggers if the number of results is greater than 0. I'd like to throttle the alert from triggering again for a specified time period, but the throttle seems to be ignored.

Search:
index=sample host=example_host

Schedule:
Cron - */5 * * * *

Trigger:
Number of Results > 0
Trigger Once

Throttle:
Suppress triggering for 10 minutes.

Action:
Send email.

The alert triggers with no problem; however, rather than throttling for 10 minutes, the alert gets triggered again after 5 minutes if the condition is met. It's a simple search where the trigger condition is there being any results at all. What am I doing wrong here? Any help would be greatly appreciated!

Thulasinathan_M · ‎07-23-2023

Your schedluer runs every 5 mins, it should be Cron - */10 * * * *. If you wish to run every 10 mins.

griffins · ‎07-23-2023

I don't want it to run every 10 minutes, I want the search to run every 5 minutes, but throttle for 10 minutes if the alert condition is met, and an alert is triggered.

Alert Throttle Not Working

alert action

alert condition

cron

throttling

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation