topic Re: How do you auto-clear alerts for log sources that begin sending logs again after x-seconds? in Alerting

How do you auto-clear alerts for log sources that begin sending logs again after x-seconds?

cemiam — Sat, 22 Jul 2017 13:54:06 GMT

Hi,

I have an alert for log sources that stopped sending logs for a while. Alert string is like: | metadata type=sources | eval age=now()-lastTime | search age>600

I am planning to clear alerts for the log sources that started to send logs after 300 seconds. Is there any way to do that? I thought log sources might be written into a reference set with the inputlookup command, but I am not able to find how to clear values that start sending logs.

Best Regards,
Cem

Re: How do you auto-clear alerts for log sources that begin sending logs again after x-seconds?

niketn — Sat, 22 Jul 2017 15:10:15 GMT

By clearing the alert do you mean you want to clear already triggered alert from Triggered Alert History or do you want to change your alert condition from sources not feeding data in last 10 min to last 5 min (300 sec)?

| metadata type=sources 
| eval age=now()-lastTime 
| search age>300

Re: How do you auto-clear alerts for log sources that begin sending logs again after x-seconds?

cemiam — Sun, 23 Jul 2017 13:18:25 GMT

I want to clear alert if it send logs in last 5 mins. Is there any method to clear alerts? Actually it don't have to be an alert. We can just save it as a report. The important part is clearing the values after 5 minutes if it started to send logs.

Re: How do you auto-clear alerts for log sources that begin sending logs again after x-seconds?

niketn — Tue, 25 Jul 2017 07:04:40 GMT

@cemiam, You can create a dashboard with source details which refreshes every minutes.

Re: How do you auto-clear alerts for log sources that begin sending logs again after x-seconds?

cemiam — Tue, 01 Aug 2017 14:04:07 GMT

Hi,

This time I'll not see if problem occurs and resolves in a few minutes. It will constantly refresh the report and delete every source which starts to send log. We need to delete them only after they send at most in 5 minutes. Do you know any way to do this?

Best Regards,

Re: How do you auto-clear alerts for log sources that begin sending logs again after x-seconds?

jkat54 — Tue, 29 Sep 2020 15:12:09 GMT

I have updated the Splunk-TA_webtools app on splunkbase to support this scenario:

https://splunkbase.splunk.com/app/3420

Re: How do you auto-clear alerts for log sources that begin sending logs again after x-seconds?

jkat54 — Thu, 03 Aug 2017 19:52:58 GMT

@cemiam this is working for me, please test on your end after downloading and installing the last Splunk-TA_webtool (v1.00).

Re: How do you auto-clear alerts for log sources that begin sending logs again after x-seconds?

cemiam — Fri, 04 Aug 2017 10:10:19 GMT

Hi jkat54,

It worked like a charm. Thank you for your efforts. It seems this will resolve our problem.

Best Regards,

Re: How do you auto-clear alerts for log sources that begin sending logs again after x-seconds?

jkat54 — Sat, 05 Aug 2017 12:08:49 GMT

That's great! Happy to help.

Re: How do you auto-clear alerts for log sources that begin sending logs again after x-seconds?

jkat54 — Sat, 05 Aug 2017 12:13:25 GMT

@cemiam if you don't mind, can you please take a moment to rate the app on splunkbase? Thanks again!

Re: How do you auto-clear alerts for log sources that begin sending logs again after x-seconds?

cemiam — Sat, 05 Aug 2017 13:04:09 GMT

Sure. I have rated your app. Thanks again for your assitance.