I may have found a bug with Saved Searches and Report. I am using Splunk 6.0.3 on *nix, and have created these saved searches from the Web GUI. First the case where it works:
CASE 1
index=something host=something* | dedup host | table host
The query above returns a neat little table with the expect six different hostnames, and one individual emails are sent for each hostname. The schedule checks once a minute. The throttle allows one alert every five minutes. Within ten minutes I received the expected total of twelve emails. The data was unique in each email.
CASE 2
index=something host=something* collection="LogicalDisk" counter="% Free Space" instance="C:" Value<40
| dedup host
| multikv fields host instance Value
| eval pcnt_free=(0.00 + tonumber(rtrim(Value,"%")))
| table host instance pcnt_free
| rename host as Host instance as Drive pcnt_free as "Percent Free"
Using the same schedule above, I recieve only two emails.
Your second query doesn't have a host
field, you renamed it to Host
- as a result, your throttle field is null
every time and correctly suppresses all but one mail per five minutes.
Your second query doesn't have a host
field, you renamed it to Host
- as a result, your throttle field is null
every time and correctly suppresses all but one mail per five minutes.
Many thanks. That is, of course, the correct thing to do.
we are throttling on host
Are you throttling based on host
or Host
?