Advanced Settings - Throttling
Throttling is used to restrict a task from being executed. Usually throttling is used when a task is triggered by a frequently occurring event. Under certain circumstances, throttling may prevent a trigger from being fired. Each time the trigger is triggered, it is evaluated according to the schema below. Only those triggers which meet the specified conditions would then make the task execute. If no throttling conditions are set, all trigger events would run the task.
There are three types of conditions for Throttling:
•Time-based Criteria
•Statistical Criteria
•Event Log Criteria
For a task to be executed:
•It has to pass all types of conditions
•Conditions must be set; if a condition is empty, it is omitted
•All time-based conditions must pass as they are evaluated with the AND operator
•All statistical conditions evaluated with the AND operator must pass; at least one statistical condition with the OR operator must pass
•Statistical and time conditions set together must pass as they are evaluated with the AND operator—only then is the task executed
If any of the defined conditions are met, stacked information for all observers is reset (the count starts over from 0). This holds for time-based as well as statistical conditions. This information is also reset if the Agent or ESET PROTECT Server is restarted. All modifications made to a trigger reset its status. We recommend that you only use one statistical condition and multiple time-based conditions. Multiple statistical conditions can cause unnecessary complications, and can alter trigger results.
Preset
There are three presets available. When you select a preset, your current throttling settings are cleared and replaced by the preset values. These values can be further modified and used, however you cannot create a new preset.
Time-based criteria
Time period (T2) - Allow triggering once during the specified time period. If for example, this is set to ten seconds and during this time ten invocations occur, only the first would trigger the event.
You must configure throttling with time-based criteria to restrict task execution to at most once per 15 minutes and notifications to at most once per 1 minute (a lock icon indicates the restriction): •Server Tasks (including report generation) - all trigger types. •Client Tasks - scheduled and CRON expression trigger types. |
Schedule (T1) - Allows triggering only within the defined time range. Click Add period and pop up window is displayed. Set a Range Duration in selected time units. Select one option from the Recurrence list and fill in fields, which change according to selected recurrence. You can define the recurrence also in a form of CRON Expression. Click OK to save the range. You can add multiple time ranges to the list—they will be sorted chronologically.
All of the configured conditions must be fulfilled to trigger the task.
Statistical criteria
Condition - Statistical conditions can be combined using either:
•Send notification when all statistical criteria are met - AND logical operator is used for evaluation
•Send notification when at least one statistical criteria is met - OR logical operator is used for evaluation
Number of occurrences (S1) - Allows only every x-th trigger hit. For example, if you type ten, only each tenth triggering will be counted.
Number of occurrences within a time period
Number of occurrences (S2) - Allows only triggering within the defined time period. This will define the minimum frequency of events to trigger the task. For example, you can use this setting to allow the execution of the task if the event is detected 10x in an hour. Firing of the trigger causes a counter reset.
Time period - Define the time period for the option described above.
A third statistical condition is available only for certain trigger types. See Trigger > Trigger type > Event Log Trigger.
Event log criteria
These criteria are evaluated by ESET PROTECT as third statistical criteria (S3). The Statistical criteria application operator (AND / OR) is applied to evaluate all three statistical conditions together. We recommend that you use event log criteria in combination with the Generate Report task. All three fields are required for the criteria to work. The buffer of symbols is reset if the trigger is fired and there is a symbol already in buffer.
Condition - This defines which events or sets of events will trigger the condition. The available options are:
•Received in a Row - The specified number of events must occur in succession. These events must be unique.
•Received Since Last Trigger Execution - The condition is triggered when the selected number of unique events is reached in the time since the task was last triggered.
Number of occurrences - Type the number of unique events with selected symbols to run the task.
Symbol - According to Log type, which is set in the Trigger menu, you can choose a symbol in the log which you can then search for. Click Select to display the menu. You can remove the selected symbol by clicking Remove.
When in use with a Server Task, all client computers are considered. It is unlikely to receive more distinctive symbols in a row. Use the Received in a Row setting only for reasonable cases. A missing value (N/A) is considered as "not unique" and therefore the buffer is reset in this point. |
Additional properties
As stated above, not every event will cause a trigger to fire. Actions taken for non-firing events can be:
•If there is more than one event skipped, group the last N events into one (store data of suppressed ticks) [N <= 100]
•For N == 0, only the last event is processed (N means history length, where the last event is always processed)
•All non-firing events are merged (merging the last tick with N historical ticks)
If the trigger fires too often or you want to be notified less often, consider the following suggestions:
•If the user wants to react only if there are more events, not a single one, see statistical condition S1
•If the trigger should fire only when a cluster of events occur, follow statistical condition S2
•When events with unwanted values are supposed to be ignored, refer to statistical condition S3
•When events from outside relevant hours (for example, working hours) should be ignored, see time-based condition T1
•To set a minimum time between trigger firings, use time-based condition T2
The conditions can also be combined to form more complex throttling scenarios. See the throttling examples for more details. |