Solved: Throttle Saved Search returns 1 email istead of 70

bsizemore · ‎04-24-2014

I may have found a bug with Saved Searches and Report. I am using Splunk 6.0.3 on *nix, and have created these saved searches from the Web GUI. First the case where it works:

CASE 1

index=something host=something* | dedup host | table host

The query above returns a neat little table with the expect six different hostnames, and one individual emails are sent for each hostname. The schedule checks once a minute. The throttle allows one alert every five minutes. Within ten minutes I received the expected total of twelve emails. The data was unique in each email.

CASE 2

index=something host=something* collection="LogicalDisk" counter="% Free Space" instance="C:" Value<40
| dedup host
| multikv fields host instance Value
| eval pcnt_free=(0.00 + tonumber(rtrim(Value,"%")))
| table host instance pcnt_free
| rename host as Host instance as Drive pcnt_free as "Percent Free"

Using the same schedule above, I recieve only two emails.

martin_mueller · ‎04-24-2014

Your second query doesn't have a host field, you renamed it to Host - as a result, your throttle field is null every time and correctly suppresses all but one mail per five minutes.

View solution in original post

martin_mueller · ‎04-24-2014

Your second query doesn't have a host field, you renamed it to Host - as a result, your throttle field is null every time and correctly suppresses all but one mail per five minutes.

bsizemore · ‎04-24-2014

Many thanks. That is, of course, the correct thing to do.

bsizemore · ‎04-24-2014

we are throttling on host

martin_mueller · ‎04-24-2014

Are you throttling based on host or Host?

Throttle Saved Search returns 1 email istead of 70

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes