I have an alert that runs every 1 minute and triggers when
latest(status) = stopped.
If the alert runs and sees
latest(status) = running, I want it to delete the triggered alert if there is one.
Is there a way to do this in Splunk?
I do not believe there is currently a simple way to achieve this solely from within Splunk itself (happy to be proven wrong though).
Options for a possible solution would include -
I mean literally delete the triggered alert. In the UI there's a button to delete them, in the REST API there's an endpoint to delete them. I would like an option to delete them if events occur as I described in OP
There is a rest endpoint to do this but you are going to have to build your own
modular alert action app to do this.