Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Delete triggered alert if condition no longer matched

andrew207
Path Finder
‎04-25-2019 08:05 PM

I have an alert that runs every 1 minute and triggers when latest(status) = stopped.

If the alert runs and sees latest(status) = running, I want it to delete the triggered alert if there is one.

Is there a way to do this in Splunk?

Reply
1 Solution
Solved! Jump to solution
Solution

michael_bates_1
Path Finder
‎04-25-2019 08:51 PM

Hello Andrew,

I do not believe there is currently a simple way to achieve this solely from within Splunk itself (happy to be proven wrong though).

Options for a possible solution would include -

  • There are REST endpoints for "fired_alerts" that will list and allow DELETE operation, however the DELETE operation cannot be called from the rest search command.
    Subsequently, this would require an external script to perform the actions, and given scripted actions is deprecated, I cannot say how long it would continue to function.

  • You could look into some alternate Alert Mgmt apps (I have deployed this one in a number of places now, https://splunkbase.splunk.com/app/2665/ )

  • Other alternatives include lookups, writing events to index, etc

Again these are alternatives, not an answer to your question.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-25-2019 10:03 PM

There is a rest endpoint to do this but you are going to have to build your own modular alert action app to do this.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-25-2019 09:47 PM

What do you mean by delete the triggered alert, exactly?

0 Karma
Reply
Solved! Jump to solution

andrew207
Path Finder
‎04-25-2019 09:56 PM

I mean literally delete the triggered alert. In the UI there's a button to delete them, in the REST API there's an endpoint to delete them. I would like an option to delete them if events occur as I described in OP

0 Karma
Reply
Solved! Jump to solution
Solution

michael_bates_1
Path Finder
‎04-25-2019 08:51 PM

Hello Andrew,

I do not believe there is currently a simple way to achieve this solely from within Splunk itself (happy to be proven wrong though).

Options for a possible solution would include -

  • There are REST endpoints for "fired_alerts" that will list and allow DELETE operation, however the DELETE operation cannot be called from the rest search command.
    Subsequently, this would require an external script to perform the actions, and given scripted actions is deprecated, I cannot say how long it would continue to function.

  • You could look into some alternate Alert Mgmt apps (I have deployed this one in a number of places now, https://splunkbase.splunk.com/app/2665/ )

  • Other alternatives include lookups, writing events to index, etc

Again these are alternatives, not an answer to your question.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...