How do I delete an index with an alert action?

achrysou · ‎09-24-2018

Hello,

I would like to have an alert that would search index "A" , and if the threshold is X , it would delete indexB where fieldA=Z

How do I do this?

I tried with splunk_search alert action add on, but doesn't seem to support the | delete in the search to be performed.

Thanks,
Andreas

achrysou · ‎09-25-2018

So after digging more, it looks like the "| delete" works only on a scheduled search and not in alert.
So instead of alert I use scheduled Report to delete the relevant data in the index.
To fulfill my scenario I had to create also one additional alert that would store the id to be deleted in a custom dedicated index (because the query required could not support delete).

acharlieh · ‎09-24-2018

I haven't mucked with that alert action, but out of curiosity, does the user running the search have the can_delete role / the delete_by_keyword privilege? (otherwise | delete in a search will fail...)

Also could you expand more on your usecase... I'm really curious as to your use case as this seems like a rather interesting workflow where you seem to be attempting to maintain state in an index, which might actually be better suited to being in a lookup of some kind....

achrysou · ‎09-24-2018

So the use case is the following:
I have a log that reports the values timestamp and CPU.
I have an alert for critical when value is more than 90 (Critical_CPU).
I use the alert manager add-on to index the alerts generated in an index named alert.
So I want to create an alert for Normal, where CPU < 90, that if is triggered it will delete any data in alert index where title=Critical_CPU.
Like this I can auto-acknowledge an alert if threshold is back to the normal.

achrysou · ‎09-24-2018

my testing user has power & admin role

How do I delete an index with an alert action?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!