Hi all,

I have a Correlation Search that generates notable events ignoring the throttling configuration.
The search is "Excessive Logins Failed" and is set with the current parameters:

Cron schedule: */20 * * * *
Time range: from '-65m' to 'now'
Scheduling: continuous
Schedule Window: No Window
Scheduling priority: Default
Trigger condition: number of results > 0
Throttling window: 86400 seconds
Throttling fields to group by: src

The search is the following:

| tstats summariesonly=true allow_old_summaries=true dc(Authentication.user) as "user_count",dc(Authentication.dest) as "dest_count",count from datamodel="Authentication"."Authentication" where Authentication.user!=*$ nodename="Authentication.Failed_Authentication" by "Authentication.app","Authentication.src" 
| `drop_dm_object_name(Authentication)` 
| replace "::ffff:*" with "*" in src
| where count>=500 

Search runtime is very short (few seconds), so I'm sure there are no overlapping searches at the same time.
Nevertheless, I often find notable events generated for the same 'src' in the last 24 hours. I also have another Correlation Search (Brute Force Attacks detection) which have similar configuration/scheduling but in this case the throttling is working fine.

Can anyone help me with this? Anybody else having the same issue?

Thanks in advance