I have used this query for the alert creation.
index = xyz sourcetype=abc |table _time response_time|search response_time>50
I have used corn schedule for 5 min. But this creates lot of noise. So I want to use throttle for this alert for 15 min. Means after the first alerts triggered, it will take a 15 mins dealy.
I have used below configuration for each result triggered.
Throttle : "Checked"
Suppress results containing field value: "response_time"
Suppress triggering for : 15 mins
But this is not working. Please help.
↧