Alert throttle not working with renamed fields

_stoff · ‎08-26-2021

I have multiple alerts with searches similar to the one below where fields are renamed to a numeric ordering. The search results are passed from phantom to a webex chat which reorders the fields unless this is done.

I am seeing back to back alerts when the throttle should have enacted. This also doesn't occur for all field values. An example would be an alert at 01:10 and 01:11 both containing the same throttled field value.

At a loss at what the cause is. It doesn't appear to be the _'s because I would expect this behavior for all ~20 alerts of this format.

Example search and alert configuration:

Throttle for each result, value: 3_Publication

index=database sourcetype=mssql:replication:status
| fields _time, host, publisher, publication, agent_name, agent_type, agent_status
| eval host = upper(host)
| eval Time = strftime(_time, "%Y-%d-%m %H:%M:%S")
| table Time, host, publisher, publication, agent_name, agent_type, agent_status
| rename Time as 0_Time, host as 1_Host, publisher as 2_Publisher, publication as 3_Publication, agent_name as 4_Agent_Name, agent_type as 5_Agent_Type, agent_status as 6_Agent_Status

richgalloway · ‎08-27-2021

Just on the off-chance it makes a difference, try putting rename before table. You'll have to change the field names in the table command.

---
If this reply helps you, Karma would be appreciated.

Alert throttle not working with renamed fields

fields

other

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!