Hello,
I would like to have an alert that would search index "A" , and if the threshold is X , it would delete indexB where fieldA=Z
How do I do this?
I tried with splunk_search alert action add on, but doesn't seem to support the | delete in the search to be performed.
Thanks,
Andreas
So after digging more, it looks like the "| delete" works only on a scheduled search and not in alert.
So instead of alert I use scheduled Report to delete the relevant data in the index.
To fulfill my scenario I had to create also one additional alert that would store the id to be deleted in a custom dedicated index (because the query required could not support delete).
I haven't mucked with that alert action, but out of curiosity, does the user running the search have the can_delete role / the delete_by_keyword privilege? (otherwise | delete in a search will fail...)
Also could you expand more on your usecase... I'm really curious as to your use case as this seems like a rather interesting workflow where you seem to be attempting to maintain state in an index, which might actually be better suited to being in a lookup of some kind....
So the use case is the following:
I have a log that reports the values timestamp and CPU.
I have an alert for critical when value is more than 90 (Critical_CPU).
I use the alert manager add-on to index the alerts generated in an index named alert.
So I want to create an alert for Normal, where CPU < 90, that if is triggered it will delete any data in alert index where title=Critical_CPU.
Like this I can auto-acknowledge an alert if threshold is back to the normal.
my testing user has power & admin role