Splunk Search

How does throttle work

lucas4394
Path Finder

I wonder how the throttling works if the last pipeline of the search is to redirect the results to different tools/software such as send the results to ticketing systems. I got the repeat events in the ticketing system although the content in the throttling field was the same.

Any clues? Thanks.

Sample search and the field1 is the throttling field:

blah blah ...
| eval field1=fieldx.last_report_time
| table field1 field2 field3, field4
| sendResultToTicket
0 Karma
1 Solution

aberkow
Builder

My understanding of throttling is that it prevents alert actions from being triggered. Since a pipe command is still part of the search, I would guess that throttling would have no effect on preventing | sendResultToTicket from occurring, because the search hasn't completed yet and can't be throttled. I think this because the front end says After an alert is triggered, subsequent alerts will not be triggered until after the throttle period, but that doesn't say "they aren't run".

As a suggestion on what you can do - create a csv that holds all the tickets you've "sendResultToTicketed", and add a search clause to blacklist those that have been created already. Then, for those that aren't blacklisted yet, run them through sendResultToTicket, then add them to the blacklist.

blah blah ...
 | eval field1=fieldx.last_report_time
 | table field1 field2 field3, field4, ticket
 | search NOT [ |inputlookup ticketCsv.csv | table ticket ]
 | sendResultToTicket
| outputlookup append=t ticketCsv.csv 

Hope this helps!

View solution in original post

aberkow
Builder

My understanding of throttling is that it prevents alert actions from being triggered. Since a pipe command is still part of the search, I would guess that throttling would have no effect on preventing | sendResultToTicket from occurring, because the search hasn't completed yet and can't be throttled. I think this because the front end says After an alert is triggered, subsequent alerts will not be triggered until after the throttle period, but that doesn't say "they aren't run".

As a suggestion on what you can do - create a csv that holds all the tickets you've "sendResultToTicketed", and add a search clause to blacklist those that have been created already. Then, for those that aren't blacklisted yet, run them through sendResultToTicket, then add them to the blacklist.

blah blah ...
 | eval field1=fieldx.last_report_time
 | table field1 field2 field3, field4, ticket
 | search NOT [ |inputlookup ticketCsv.csv | table ticket ]
 | sendResultToTicket
| outputlookup append=t ticketCsv.csv 

Hope this helps!

Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...