AGGREGATE_ALERT_MAX_THROTTLE_FIELD_VALUES_STORED | Falcon LogScale Self-Hosted 1.143.0-1.153.1 (Stable)

`AGGREGATE_ALERT_MAX_THROTTLE_FIELD_VALUES_STORED`

Variable	`AGGREGATE_ALERT_MAX_THROTTLE_FIELD_VALUES_STORED`
Introduced Version	1.143.0
Description	Maximum number of field values stored for each aggregate alert
Default	`100`

This environment variable is used to set the maximum number of field values that may be stored for each aggregate alert — that is to say, each filter alert that is using field-based throttling.

If you discover that such alerts are triggered with the same field value before the throttle period has elapsed, you may want to increase the limit with this AGGREGATE_ALERT_MAX_THROTTLE_FIELD_VALUES_STORED variable.

The AGGREGATE_ALERT_MAX_THROTTLE_FIELD_VALUES_STORED threshold only affects Aggregate Alerts. To set the threshold for Legacy Alerts and Filter Alerts, configure ALERT_MAX_THROTTLE_FIELD_VALUES_STORED and FILTER_ALERT_MAX_THROTTLE_FIELD_VALUES_STORED variables, respectively.

Warning

Setting too high values for this variable will cause the Global Database write throughput to get beyond what is possible to keep in sync, resulting in higher and higher ingest latency, and ultimately causing a total system outage. Many factors contribute to destabilizing the system; therefore, specifying precisely what values should be considered "too high" is not possible. Instead, analysis should be conducted on what the needed threshold value should be, and set the threshold above but close to that value. To recover from system outage, simply set back the variable to a lower value and restart.

Below is an example of how the variable might be set:

ini

AGGREGATE_ALERT_MAX_THROTTLE_FIELD_VALUES_STORED=100

This sets the limit to 100, which is the default.

When an aggregate alert is triggered, LogScale will store the value of the throttle field in memory. To limit memory usage, there is a fixed limit on the number of values that LogScale stores per alert. If you select a throttle field that expects more values than this limit, your alert might trigger more frequently than indicated by the given throttle period.

Note

Related to Cluster Management, increasing the limit might also increase the memory usage of every node in the cluster.

Falcon LogScale Self-Hosted 1.143.0-1.153.1 (Stable)

Self-Hosted Overview

Installing LogScale

Self-Hosted Admin.

Organization Essentials

Configuring Security

Authentication & Identity Providers

Users & permissions

Cluster Management

Configuration Settings

Ingesting Data

LogScale Configuration Parameters

LogScale URLs & Endpoints

Limits & Standards

Data Analysis 1.154.0-1.156.0

Data Analysis Overview

LogScale User Interface

Repositories & Views

Parsing Data

Searching Data

Writing Queries

Query Language Syntax

Query Functions

Dashboards & Widgets

Automation

Template Language

Keyboard Shortcuts