×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
_stoff
Observer
Member since: ‎08-26-2021
‎08-28-2021
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-26-2021
Activity Feed
View All

Alert throttle not working with renamed fields

by in Splunk Search
‎08-26-2021 09:10 AM
‎08-26-2021 09:10 AM
I have multiple alerts with searches similar to the one below where fields are renamed to a numeric ordering. The search results are passed from phantom to a webex chat which reorders the fields unless this is done.  I am seeing back to back alerts when the throttle should have enacted. This also doesn't occur for all field values. An example would be an alert at 01:10 and 01:11 both containing the same throttled field value. At a loss at what the cause is. It doesn't appear to be the _'s because I would expect this behavior for all ~20 alerts of this format. Example search and alert configuration: Throttle for each result, value: 3_Publication index=database sourcetype=mssql:replication:status | fields _time, host, publisher, publication, agent_name, agent_type, agent_status | eval host = upper(host) | eval Time = strftime(_time, "%Y-%d-%m %H:%M:%S") | table Time, host, publisher, publication, agent_name, agent_type, agent_status | rename Time as 0_Time, host as 1_Host, publisher as 2_Publisher, publication as 3_Publication, agent_name as 4_Agent_Name, agent_type as 5_Agent_Type, agent_status as 6_Agent_Status ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎08-28-2021 03:18 AM