https://community.splunk.com/t5/Random/Auto-Resolving-Pagerduty-Alerts/m-p/504687#M1 <P>Hey all.</P> <P>So there is this thing that I periodically trawl the web for and never seem to find any results.</P> <P>It's a small thing but a huge bug bear.</P> <P>I really wanted all of our pagerduty alerts using the app in splunk to autoresolve when the trigger had cleared.</P> <P>It looks like I may have come across a possible solution, and I wanted to see if anyone else has done this or found a better way. And to share in case I can help someone else.</P> <P>Today I finally managed to get this working, and the trick was a new feature in Pagerduty called Eventrules.</P> <P>Essentially you can create a an EventRuleset which will get you a new integration URL and key, and allow you to apply rules to non-standard fields in the payload.</P> <P>An example ruleset based on the following result payload would look like the following"</P> <LI-CODE lang="markup">"result": { "routing_key":"your eventruleset routing key", "dedup_key":"yourunique key, maybe the alert name", "event_action":"trigger or resolve", "severity":"critical or warning etc", "summary":"some high level info", "source":"usually the machine with a problem" } </LI-CODE> <P><BR />Your event rules then may look something like the below:</P> <P>if result.event_action=resolve then resolve the incident using the dedup key</P> <P>if result.event_action=trigger and result.severity=critical then severity is critical and raise new alert</P> <P>etc</P> <P>Now this does raise a small problem in that if your alert raises no rows then you won't be able to send the resolve.</P> <P>The below is extremely simple but does the job as an example by adding a stats count. The only caveat is that if you want an alert per event, you need to do some more work.</P> <LI-CODE lang="markup">index=_internal ERROR | stats count as event_count | eval dedup_key="ddddd" | eval severity="warning" | eval event_action=case(event_count&gt;0,"trigger",1=1,"resolve") | eval summary="A summary of this event" | eval source="servera.example.com" | eval routing_key="XXXXXXXXX" | table dedup_key,severity,event_action, summary, source, routing_key </LI-CODE> <P><BR />All that's required after this is to update your integration url to use the eventrules api and key.</P> <P>This can however be spammy, because an api call will be made every time the alert runs.</P> <P>To get past that I created a KVStore called state_event and do an outputlookup to it each time the event runs. The fields i record are _key=dedup_key, event_action, date_last_changed and date_last_run.</P> <P>In the pagerduty alert properties you can change the alert trigger to custom and set the search to "where event_action!=event_action_lookup".</P> <P>Now it will only fire if this runs event_action(trigger or resolve) is different from the last. This will reduce noise and allow for some stateful tracking of each alert if so desired.</P> <P>Below is an example of the code i put after the table * example above to handle the above logic:</P> <LI-CODE lang="markup">eval _key=dedup_key | eval date_last_run=now() | join type=left [| inputlookup state_alert | rename event_action AS event_action_lookup | rename date_last_change AS date_last_change_lookup | fields event_action_lookup, date_last_change_lookup] | eval date_last_change=case(event_action!=event_action_lookup, now(),1=1,date_last_change_lookup) | outputlookup state_alert append=true key_field=_key </LI-CODE> <P>Hopefully someone finds this useful, can improve on it, or show me a better way <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 30 May 2024 23:13:23 GMT jethrop 2024-05-30T23:13:23Z https://community.splunk.com/t5/Random/Auto-Resolving-Pagerduty-Alerts/m-p/504687#M1 <P>Hey all.</P> <P>So there is this thing that I periodically trawl the web for and never seem to find any results.</P> <P>It's a small thing but a huge bug bear.</P> <P>I really wanted all of our pagerduty alerts using the app in splunk to autoresolve when the trigger had cleared.</P> <P>It looks like I may have come across a possible solution, and I wanted to see if anyone else has done this or found a better way. And to share in case I can help someone else.</P> <P>Today I finally managed to get this working, and the trick was a new feature in Pagerduty called Eventrules.</P> <P>Essentially you can create a an EventRuleset which will get you a new integration URL and key, and allow you to apply rules to non-standard fields in the payload.</P> <P>An example ruleset based on the following result payload would look like the following"</P> <LI-CODE lang="markup">"result": { "routing_key":"your eventruleset routing key", "dedup_key":"yourunique key, maybe the alert name", "event_action":"trigger or resolve", "severity":"critical or warning etc", "summary":"some high level info", "source":"usually the machine with a problem" } </LI-CODE> <P><BR />Your event rules then may look something like the below:</P> <P>if result.event_action=resolve then resolve the incident using the dedup key</P> <P>if result.event_action=trigger and result.severity=critical then severity is critical and raise new alert</P> <P>etc</P> <P>Now this does raise a small problem in that if your alert raises no rows then you won't be able to send the resolve.</P> <P>The below is extremely simple but does the job as an example by adding a stats count. The only caveat is that if you want an alert per event, you need to do some more work.</P> <LI-CODE lang="markup">index=_internal ERROR | stats count as event_count | eval dedup_key="ddddd" | eval severity="warning" | eval event_action=case(event_count&gt;0,"trigger",1=1,"resolve") | eval summary="A summary of this event" | eval source="servera.example.com" | eval routing_key="XXXXXXXXX" | table dedup_key,severity,event_action, summary, source, routing_key </LI-CODE> <P><BR />All that's required after this is to update your integration url to use the eventrules api and key.</P> <P>This can however be spammy, because an api call will be made every time the alert runs.</P> <P>To get past that I created a KVStore called state_event and do an outputlookup to it each time the event runs. The fields i record are _key=dedup_key, event_action, date_last_changed and date_last_run.</P> <P>In the pagerduty alert properties you can change the alert trigger to custom and set the search to "where event_action!=event_action_lookup".</P> <P>Now it will only fire if this runs event_action(trigger or resolve) is different from the last. This will reduce noise and allow for some stateful tracking of each alert if so desired.</P> <P>Below is an example of the code i put after the table * example above to handle the above logic:</P> <LI-CODE lang="markup">eval _key=dedup_key | eval date_last_run=now() | join type=left [| inputlookup state_alert | rename event_action AS event_action_lookup | rename date_last_change AS date_last_change_lookup | fields event_action_lookup, date_last_change_lookup] | eval date_last_change=case(event_action!=event_action_lookup, now(),1=1,date_last_change_lookup) | outputlookup state_alert append=true key_field=_key </LI-CODE> <P>Hopefully someone finds this useful, can improve on it, or show me a better way <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 30 May 2024 23:13:23 GMT https://community.splunk.com/t5/Random/Auto-Resolving-Pagerduty-Alerts/m-p/504687#M1 jethrop 2024-05-30T23:13:23Z https://community.splunk.com/t5/Random/Auto-Resolving-Pagerduty-Alerts/m-p/689146#M1965 <P>Awesome stuff! I reproduced your instructions in a step by step <A title="guide" href="https://borisascode.com/blog/resolvable-splunk-alerts-pagerduty" target="_self">guide</A>.</P> Thu, 30 May 2024 22:04:20 GMT https://community.splunk.com/t5/Random/Auto-Resolving-Pagerduty-Alerts/m-p/689146#M1965 borisascode 2024-05-30T22:04:20Z