https://community.splunk.com/t5/Splunk-Search/Scom-How-to-remove-resolved-events-that-are-monitored-using/m-p/591626#M205954 <P>I have been brainstorming the same issue. The issue is when the alert is closed then reopened it wont recongnise the same event id as the id seems to change, so if it flaps youll get alert storms. My solution is to use the monitoringobjectid and the name together. The monitoringobjectid is unique to each object but can have multiple different alerts raised against it. So using the name you ensure you only get unique events for that object. This will help with Maintenance Mode and alert storms. Even with disk alerts that seem to continue raising events at certain intervals of disk usage have different ids.</P> Wed, 30 Mar 2022 21:23:47 GMT johnrbhancock 2022-03-30T21:23:47Z https://community.splunk.com/t5/Splunk-Search/Scom-How-to-remove-resolved-events-that-are-monitored-using/m-p/541354#M153270 <P>We are ingesting scom events</P> <P>When an alert is triggered it is assigned an id (the earliest event pictured) and we have created a dashboard of alerts that are in status new.</P> <P>This issue we have is some of the alerts have actually been resolved but the logs that show an alert as resolved show the id as "monitoringalertid" not "id" so the dedup "id" isn't working</P> <P>We are having issues joining these alerts to get the latest status and remove alert if it has been solved.</P> <P>The only value to match these events is the id/monitoringalertid.</P> <P>Anyone know a way to match these events.</P> <P>TIA</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="issue.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/13069i0F22376064A31899/image-size/large?v=v2&amp;px=999" role="button" title="issue.png" alt="issue.png" /></span></P> Wed, 30 Mar 2022 22:25:56 GMT https://community.splunk.com/t5/Splunk-Search/Scom-How-to-remove-resolved-events-that-are-monitored-using/m-p/541354#M153270 nathanluke86 2022-03-30T22:25:56Z https://community.splunk.com/t5/Splunk-Search/Scom-How-to-remove-resolved-events-that-are-monitored-using/m-p/541367#M153273 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/192656">@nathanluke86</a>,</P><P>You can use&nbsp;coalesce to set id=monitoringalertid where id is null.</P><LI-CODE lang="markup">| eval id=coalesce(id, monitoringalertid) | dedup id</LI-CODE><P>&nbsp;More info on coalesce here:&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchReference/ConditionalFunctions#coalesce.28X.2C....29" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchReference/ConditionalFunctions#coalesce.28X.2C....29</A></P><P>If this reply helps you, an upvote/like would be appreciated.</P> Thu, 25 Feb 2021 15:41:25 GMT https://community.splunk.com/t5/Splunk-Search/Scom-How-to-remove-resolved-events-that-are-monitored-using/m-p/541367#M153273 manjunathmeti 2021-02-25T15:41:25Z https://community.splunk.com/t5/Splunk-Search/Scom-How-to-remove-resolved-events-that-are-monitored-using/m-p/541478#M153307 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/129090">@manjunathmeti</a>&nbsp;,</P><P>Tried using coalesce but this doesn't seem to work.</P><P>I have noticed that the logs that have monitoringalertid field that matches the original id also have a field id which does not match the original id.</P><P>This might be causing the issue with coalesce.</P><P>Is there another way to match id with monitoringalertid and if latest status is closed then ignore.</P><P>TIA.</P><P>&nbsp;</P> Fri, 26 Feb 2021 08:47:16 GMT https://community.splunk.com/t5/Splunk-Search/Scom-How-to-remove-resolved-events-that-are-monitored-using/m-p/541478#M153307 nathanluke86 2021-02-26T08:47:16Z https://community.splunk.com/t5/Splunk-Search/Scom-How-to-remove-resolved-events-that-are-monitored-using/m-p/541508#M153318 <P>you may be able to just swap the order in the coalesce statement - so that the monitoring id will be used if it exists, then id would be checked for next.</P> Fri, 26 Feb 2021 12:47:42 GMT https://community.splunk.com/t5/Splunk-Search/Scom-How-to-remove-resolved-events-that-are-monitored-using/m-p/541508#M153318 maciep 2021-02-26T12:47:42Z https://community.splunk.com/t5/Splunk-Search/Scom-How-to-remove-resolved-events-that-are-monitored-using/m-p/541532#M153326 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/190949">@maciep</a>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/129090">@manjunathmeti</a>&nbsp;,</P><P>&nbsp;</P><P>I have this working now using:</P><P>| eval logID = coalesce('monitoringalertid','id') |transaction logID.</P><P>&nbsp;</P><P>Thanks for all the help</P> Fri, 26 Feb 2021 15:19:22 GMT https://community.splunk.com/t5/Splunk-Search/Scom-How-to-remove-resolved-events-that-are-monitored-using/m-p/541532#M153326 nathanluke86 2021-02-26T15:19:22Z https://community.splunk.com/t5/Splunk-Search/Scom-How-to-remove-resolved-events-that-are-monitored-using/m-p/591626#M205954 <P>I have been brainstorming the same issue. The issue is when the alert is closed then reopened it wont recongnise the same event id as the id seems to change, so if it flaps youll get alert storms. My solution is to use the monitoringobjectid and the name together. The monitoringobjectid is unique to each object but can have multiple different alerts raised against it. So using the name you ensure you only get unique events for that object. This will help with Maintenance Mode and alert storms. Even with disk alerts that seem to continue raising events at certain intervals of disk usage have different ids.</P> Wed, 30 Mar 2022 21:23:47 GMT https://community.splunk.com/t5/Splunk-Search/Scom-How-to-remove-resolved-events-that-are-monitored-using/m-p/591626#M205954 johnrbhancock 2022-03-30T21:23:47Z