Splunk Search

Alert - Throttling is not working for search query

prsubramanian
New Member

Hi,
I have a requirement. Please suggest how to proceed further.
In the Alert need to run the search query for every 2 mins but the search query should not run for next 5 mins(given in "Suppress triggering for") which is given in throttling. And added to alert action is added with the severity as "Info".
Result:
Here after saving the Alert the query gets executed for every 2 mins, which is correct as expected but it should not executed the search query for next 5 mins which is given in throttling minutes. But the Added to alert actions executed every 5 mins.

Settings given as below:
Alert Type:Scheduled
Run on Cron Scheduled
Real Time
Cron Expression: */2 * * * *

Trigger Conditions:
Number of Results : is greater than 0
Trigger : Once
Throttle: Checked
Suppress Trigger for: 5 minutes

Trigger Actions:
Add to Trigger Alerts: Info

In shortly the search query in Alert need to execute and the query should not get execute based on throttling minutes which is given.
But now the search query is executing based on given cron schedule, and the throtling works for only added to alerts only.
Is the throtling will work only for Trigger Actions like "Added to alerts"... Please confirm.

Please let me know any information required.
Thanks,

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...