Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Limit number of alerts in RSS
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Limit number of alerts in RSS
Hi,
I'm using an RSS feed to view alerts from a scheduled search. The purpose is to maintain a sort of dead man's grip monitoring that feed with a third party application. The RSS feed does not need authentication, which is why I prefer this over the RESTful API.
However, the RSS keeps track of the 30 latest alerts, even after they have expired. Is there a way not showing expired alert or limiting the number of alerts in the RSS feed?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
UP
I tried to setup
items_count=1
in alert_actions.conf under [rss] stanza, as specified in .spec file,
items_count = <number>
* Number of saved RSS feeds.
* Cannot be more than maxresults (in the global settings).
* Defaults to 30.
but I still found 30 items.
Any hint?
Ciao
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Never really tried this, as it seems to me the items_count affects the RSS feeds of all alerts, not just this specific one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am not sure but I feel that once a search gets expired, the corresponding search results directory in "dispatch" folder also gets deleted.
If that's true, whenever you fetch RSS feed, you can extract the sub folder inside dispatch directory to see if it exists or not and if it does not exists, you can stop processing more on the RSS entry just fetched.
Let me know your views and if it helps.
Regards,
Amit Saxena
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To be honest, I never tried this solution. This apparently requires shell access to the dispatch directory. Therefore it is not exactly in line with what I want to achieve.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
