I wonder how the throttling works if the last pipeline of the search is to redirect the results to different tools/software such as send the results to ticketing systems. I got the repeat events in the ticketing system although the content in the throttling field was the same.
Any clues? Thanks.
Sample search and the field1 is the throttling field:
blah blah ...
| eval field1=fieldx.last_report_time
| table field1 field2 field3, field4
| sendResultToTicket
My understanding of throttling is that it prevents alert actions from being triggered. Since a pipe command is still part of the search, I would guess that throttling would have no effect on preventing | sendResultToTicket
from occurring, because the search hasn't completed yet and can't be throttled. I think this because the front end says After an alert is triggered, subsequent alerts will not be triggered until after the throttle period
, but that doesn't say "they aren't run".
As a suggestion on what you can do - create a csv that holds all the tickets you've "sendResultToTicketed", and add a search clause to blacklist those that have been created already. Then, for those that aren't blacklisted yet, run them through sendResultToTicket
, then add them to the blacklist.
blah blah ...
| eval field1=fieldx.last_report_time
| table field1 field2 field3, field4, ticket
| search NOT [ |inputlookup ticketCsv.csv | table ticket ]
| sendResultToTicket
| outputlookup append=t ticketCsv.csv
Hope this helps!
My understanding of throttling is that it prevents alert actions from being triggered. Since a pipe command is still part of the search, I would guess that throttling would have no effect on preventing | sendResultToTicket
from occurring, because the search hasn't completed yet and can't be throttled. I think this because the front end says After an alert is triggered, subsequent alerts will not be triggered until after the throttle period
, but that doesn't say "they aren't run".
As a suggestion on what you can do - create a csv that holds all the tickets you've "sendResultToTicketed", and add a search clause to blacklist those that have been created already. Then, for those that aren't blacklisted yet, run them through sendResultToTicket
, then add them to the blacklist.
blah blah ...
| eval field1=fieldx.last_report_time
| table field1 field2 field3, field4, ticket
| search NOT [ |inputlookup ticketCsv.csv | table ticket ]
| sendResultToTicket
| outputlookup append=t ticketCsv.csv
Hope this helps!