Alert - Throttling is not working for search query

prsubramanian · ‎11-21-2019

Hi,
I have a requirement. Please suggest how to proceed further.
In the Alert need to run the search query for every 2 mins but the search query should not run for next 5 mins(given in "Suppress triggering for") which is given in throttling. And added to alert action is added with the severity as "Info".
Result:
Here after saving the Alert the query gets executed for every 2 mins, which is correct as expected but it should not executed the search query for next 5 mins which is given in throttling minutes. But the Added to alert actions executed every 5 mins.

Settings given as below:
Alert Type:Scheduled
Run on Cron Scheduled
Real Time
Cron Expression: */2 * * * *

Trigger Conditions:
Number of Results : is greater than 0
Trigger : Once
Throttle: Checked
Suppress Trigger for: 5 minutes

Trigger Actions:
Add to Trigger Alerts: Info

In shortly the search query in Alert need to execute and the query should not get execute based on throttling minutes which is given.
But now the search query is executing based on given cron schedule, and the throtling works for only added to alerts only.
Is the throtling will work only for Trigger Actions like "Added to alerts"... Please confirm.

Please let me know any information required.
Thanks,

Alert - Throttling is not working for search query

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

Alert - Throttling is not working for search query

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!