FAQ: What are the effects of changing the settings of a throttled alert

Changing the settings of existing Alerts configured for Field-Based Throttling may impact its normal behavior. The following use cases have been observed.

  • Changing the throttle field previously defined will clear the field values.

  • Changing the throttle window will still throttle on the previous values for the throttle field (and will throttle with the new throttle period). For example:

    • An event with field x = value y will remain throttled as per the defined throttle time.

    • Other events found with field x = value z or any other value in the new time window will trigger the alert if found, then get throttled with the new period.

  • If you increase the throttle period, the old values will also be throttled for the new period. One exception is if x=value y triggers at 14:00 with a 1-hour throttle period and then at 15:30 you change the throttle period to 2 hours, then the value will not be throttled until 16:00, since it was already discarded at 15:00 when the old throttle period expired.

  • Changing the action has no impact and will still throttle on the previous values for the throttle field. For example:

    • An event with field x = value y which triggered the alert will remain throttled.

    • When the alert can trigger again for the same event and value, it will use the new action.

    • Events with field x = value z or any other value will immediately use the new action for when the alert triggers.

  • Changing the query has no impact because, for instance:

    • An event with field x = value y will remain throttled as per the defined throttle time.

    • Other events found, based on the new query, with field x = value z or any other value will trigger the alert if found, then get throttled.