Other Usage
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alert Throttle Not Working

griffins
Explorer
‎07-23-2023 07:39 AM

Hi folks,

I have a very simple alert set up that triggers if the number of results is greater than 0. I'd like to throttle the alert from triggering again for a specified time period, but the throttle seems to be ignored.

Search:
index=sample host=example_host

Schedule:
Cron - */5 * * * *

Trigger:
Number of Results > 0
Trigger Once

Throttle:
Suppress triggering for 10 minutes.

Action:
Send email.

The alert triggers with no problem; however, rather than throttling for 10 minutes, the alert gets triggered again after 5 minutes if the condition is met. It's a simple search where the trigger condition is there being any results at all. What am I doing wrong here? Any help would be greatly appreciated!

Labels (4)
0 Karma
Reply

Thulasinathan_M
Communicator
‎07-23-2023 07:44 AM

Your schedluer runs every 5 mins, it should be Cron - */10 * * * *. If you wish to run every 10 mins.

0 Karma
Reply

griffins
Explorer
‎07-23-2023 07:47 AM

I don't want it to run every 10 minutes, I want the search to run every 5 minutes, but throttle for 10 minutes if the alert condition is met, and an alert is triggered.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...