Variable | ALERT_MAX_THROTTLE_FIELD_VALUES_STORED | |
Description | Maximum number of field values stored for each standard alert | |
Default | 100 |
This environment variable is used to set the maximum number of field values that may be stored for each standard alert — that is to say, each standard alert that is using field-based throttling.
If you discover that such alerts are triggered with the same field value before the throttle period has elapsed, you may want to increase the limit with this variable.
The ALERT_MAX_THROTTLE_FIELD_VALUES_STORED
threshold only
affects Legacy Alerts. To set the threshold
for Filter Alerts and
Aggregate Alerts, configure
FILTER_ALERT_MAX_THROTTLE_FIELD_VALUES_STORED
and
AGGREGATE_ALERT_MAX_THROTTLE_FIELD_VALUES_STORED
variables,
respectively.
Warning
Setting too high values for this variable will cause the Global Database write throughput to get beyond what is possible to keep in sync, resulting in higher and higher ingest latency, and ultimately causing a total system outage. Many factors contribute to destabilizing the system; therefore, specifying precisely what values should be considered "too high" is not possible. Instead, analysis should be conducted on what the needed threshold value should be, and set the threshold above but close to that value. To recover from system outage, simply set back the variable to a lower value and restart.
Below is an example of how the variable might be set:
ALERT_MAX_THROTTLE_FIELD_VALUES_STORED=100
This sets the limit to 100.
When an alert is triggered, LogScale will store the value of the throttle field in memory. To limit memory usage, there is a fixed limit on the number of values that LogScale stores per alert. If you select a throttle field that expects more values than this limit, your alert might trigger more frequently than indicated by the given throttle period.
Note
Related to Cluster Management, increasing the limit might also increase the memory usage of every node in the cluster.