How do I specify multiple separate fields in the "...

jguglielmi · ‎03-30-2016

I am reporting on batch processing.
At the highest level there us the concept of a "Batchid" and within each batchid there can be multiple "Jobid"'s.
Each job can possible fail which provides a literal "error" in a field I interrogate.
I want to alert based on every time a unique BatchID has an "error" field associated.
However, I want to check every 10 minutes and only send an alert when the batchid and jobid's are different.
If I just supress based on the same batchid being present, I might miss the case where the origonal jobid gets resoved, but the next job under the same batchid fails.
This is what I want to do:

batchid jobid action
1234 432 alert
1234 432 throttle wait
1234 567 alert
1267 123 alert

maciep · ‎03-31-2016

Is this what you're referring to? I think you can put multiple fields in that throttle field list. So you can put it batchid and jobid in there maybe?

http://docs.splunk.com/Documentation/Splunk/latest/Alert/ThrottleAlerts

If that doesn't work or isn't an option, what about just eval'ing a new field in your search and then throttle based on it?

... | eval throttle_field = batchid." - ".jobid | ...

And then just choose that field for the throttling logic?

How do I specify multiple separate fields in the "supress alerts with field value"

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!