Splunk Search

How does throttle work

lucas4394
Path Finder

I wonder how the throttling works if the last pipeline of the search is to redirect the results to different tools/software such as send the results to ticketing systems. I got the repeat events in the ticketing system although the content in the throttling field was the same.

Any clues? Thanks.

Sample search and the field1 is the throttling field:

blah blah ...
| eval field1=fieldx.last_report_time
| table field1 field2 field3, field4
| sendResultToTicket
0 Karma
1 Solution

aberkow
Builder

My understanding of throttling is that it prevents alert actions from being triggered. Since a pipe command is still part of the search, I would guess that throttling would have no effect on preventing | sendResultToTicket from occurring, because the search hasn't completed yet and can't be throttled. I think this because the front end says After an alert is triggered, subsequent alerts will not be triggered until after the throttle period, but that doesn't say "they aren't run".

As a suggestion on what you can do - create a csv that holds all the tickets you've "sendResultToTicketed", and add a search clause to blacklist those that have been created already. Then, for those that aren't blacklisted yet, run them through sendResultToTicket, then add them to the blacklist.

blah blah ...
 | eval field1=fieldx.last_report_time
 | table field1 field2 field3, field4, ticket
 | search NOT [ |inputlookup ticketCsv.csv | table ticket ]
 | sendResultToTicket
| outputlookup append=t ticketCsv.csv 

Hope this helps!

View solution in original post

aberkow
Builder

My understanding of throttling is that it prevents alert actions from being triggered. Since a pipe command is still part of the search, I would guess that throttling would have no effect on preventing | sendResultToTicket from occurring, because the search hasn't completed yet and can't be throttled. I think this because the front end says After an alert is triggered, subsequent alerts will not be triggered until after the throttle period, but that doesn't say "they aren't run".

As a suggestion on what you can do - create a csv that holds all the tickets you've "sendResultToTicketed", and add a search clause to blacklist those that have been created already. Then, for those that aren't blacklisted yet, run them through sendResultToTicket, then add them to the blacklist.

blah blah ...
 | eval field1=fieldx.last_report_time
 | table field1 field2 field3, field4, ticket
 | search NOT [ |inputlookup ticketCsv.csv | table ticket ]
 | sendResultToTicket
| outputlookup append=t ticketCsv.csv 

Hope this helps!

View solution in original post

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!