Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is throttling based on the trigger time or on event time

yanhu
Engager
‎08-07-2020 11:05 AM

I would like to confirm what TIME the throttling window duration is using. is it based on the trigger time or on event time. Also, what is the different than throttling 1 day or 24 hours.

We have a correlation search, with real-time scheduling.

Trigger alert when number of results is greater than 0; Throttling window duration is set to 1 day. 

Search is scheduled to run at 15 * * * *  for time range -5m@m to -65m@m

The first notable was triggered on Aug 4 at 16:17, which reported the event occurred at 15:36 on Aug 4.

The second event occurred on Aug 5 at 16:08, which didn't trigger the notable.

When i reran the SPL manually for the time range between 15:10 - 16:10, the search returned result.

What would be the reason of not seeing alert? Throttling? or event not received in splunk when search was running?

 

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-07-2020 12:18 PM
Throttling is based on trigger time.
AFAIK, '1d' and '24h' are the same, but there may be a subtle difference.
The second alert probably didn't appear because of throttling.
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-09-2020 09:05 AM

Its based on triggered time and field set you choose while enabling throttling while creating the correlation rule.

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-07-2020 12:18 PM
Throttling is based on trigger time.
AFAIK, '1d' and '24h' are the same, but there may be a subtle difference.
The second alert probably didn't appear because of throttling.
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-09-2020 07:08 AM

You could found your executed alert searches by the next query if you haven't MC installed.

index=_audit sourcetype=audittrail action=search user=<user which are running your alert> savedsearch_name=<your alerts name>

 

And if you have MC then just looking:

Settings -> MC -> Search -> Scheduler Activity (instance, deployment based on your environment)

There you can see e.g. skipped searches and reason for those.

r. Ismo 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...