Kibana alerting v2 throttle
Throttling sets a minimum interval between notifications for the same notification group. It reduces notification volume without affecting alert detection or lifecycle tracking.
- When the dispatcher processes a notification group for the first time, it always fires — the first occurrence is never throttled.
- The dispatcher records a
notifiedaction with the current timestamp. - On subsequent runs, the dispatcher checks whether the time elapsed since the last
notifiedaction is less than the throttle interval. - If the interval has not passed, the notification is suppressed with outcome
suppressand reasonthrottled. - Once the interval expires, the next occurrence fires and the window resets.
The throttle window resets from the timestamp of the last dispatched notification, not from the first occurrence.
Throttling is configured on notification policies:
throttle:
interval: 15m
This means at most one notification per 15 minutes for each notification group.
Throttling is applied per (rule_id, policy_id, group_key). This means:
- Different rules are throttled independently, even through the same policy.
- Different grouping key values are throttled independently (for example,
host-aandhost-beach have their own throttle window). - Different policies are throttled independently, even for the same rule.
- Warning-level alerts where immediate notification is not critical but periodic awareness is useful.
- High-volume rules that produce many alerts per evaluation cycle.
- Summary notifications where you want a periodic digest rather than per-alert notifications.
- Grouping reduces the number of notifications by batching alerts. Throttling reduces the frequency of those batched notifications.
- Snooze suppresses all notifications for a fixed duration. Throttling allows periodic notifications at a controlled rate.