Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alert throttle not working with renamed fields

_stoff
Observer
‎08-26-2021 09:10 AM

I have multiple alerts with searches similar to the one below where fields are renamed to a numeric ordering. The search results are passed from phantom to a webex chat which reorders the fields unless this is done. 

I am seeing back to back alerts when the throttle should have enacted. This also doesn't occur for all field values. An example would be an alert at 01:10 and 01:11 both containing the same throttled field value.

At a loss at what the cause is. It doesn't appear to be the _'s because I would expect this behavior for all ~20 alerts of this format.

Example search and alert configuration:

Throttle for each result, value: 3_Publication

index=database sourcetype=mssql:replication:status
| fields _time, host, publisher, publication, agent_name, agent_type, agent_status
| eval host = upper(host)
| eval Time = strftime(_time, "%Y-%d-%m %H:%M:%S")
| table Time, host, publisher, publication, agent_name, agent_type, agent_status
| rename Time as 0_Time, host as 1_Host, publisher as 2_Publisher, publication as 3_Publication, agent_name as 4_Agent_Name, agent_type as 5_Agent_Type, agent_status as 6_Agent_Status

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-27-2021 05:37 AM

Just on the off-chance it makes a difference, try putting rename before table.  You'll have to change the field names in the table command.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...