I have a regular scheduled search in Splunk that is producing a large volume of repeat events. I attempted to throttle these using the once per result option, per throttling fields. I have two fields in the throttling, user and dest. This was in effort to reduce volume for repeat events, but to show any event that has changed so they are not missed.
I noticed during my testing (new throttled rule alongside old un-throttled) that one search returned two new unique results, and one result that had appeared before. As a result, Splunk did not show ANY of the results in the throttled search, even the new hits because one event was repeated. Is this how throttling is intended to function? Is there a way around this? I need the search to throttle repeat results but still supply any new results.
↧