All Apps and Add-ons

Is there a way to resolve multiple incidents at once in Alert Manager?

gbhaghavatula
Explorer

we have lot of events which log error incidents every day and its a lot of manual work to close each incident manually.

I want a solution where i don't have to suppress any event alerts but I want to close those incidents after all I review them.

any ideas?

Imadam
Observer

Hi,

Can I auto-resolve alerts based on other events with different status?
For example I have events:
ID Host Status
1221 Ex12 Critical
1312 Ex12 Normal

I want to auto close alert 1221 based on event 1312

0 Karma

my2ndhead
SplunkTrust
SplunkTrust

Will be part of the next release https://github.com/simcen/alert_manager/issues/191

0 Karma

chalak
Path Finder

Thanks for the information.

0 Karma

chalak
Path Finder

Hi all,

Would you be please able to advise how to achieve closing multiple alerts at once through the Alert Manager app directly (Ideally on the incident posture tab). At the bottom part of the Incident posture tab can be 10 alerts, is there a possibility to have for example checkbox to select certain alerts and close it? Would be there any similar possibility how to achieve this idea?

0 Karma

gbhaghavatula
Explorer

Thanks a ton Christian. We will implement this idea soon and I will let you know how this worked.

0 Karma

riki1092
New Member

Does the query helped you in closing multiple open alerts in one go?

0 Karma

gbhaghavatula
Explorer

hi, thanks for your reply.

can you let me know how do you implement this query? do you create a rule in splunk for the incidents to close? let me know more details about this process.

Thanks again for your response, appreciate it.

Thanks;
GAUTI

0 Karma

christianhuber
Path Finder

Hi

i use this usually to close all open tickets after the testing period to start with a clean sheet. If you plan to regulary close the incidents you should probably work with the auto resolve options. You see this options when you configure a Alert Manager trigger.

or the dirty way you just schedule the search above to run at a specific interval of your choice.

Christian

0 Karma

riki1092
New Member

Can you please help me out how to close multiple open alerts in one go.as of now I am closing it manually with search incident option.

It would be great if you could send the steps how to set the query.

arkobardhan2011@gmail.com

0 Karma

christianhuber
Path Finder

Hi,

I am not sure if this is the solution to your problem but i close my incidents with this command.

index=alerts | table _time incident_id | dedup incident_id | modifyincidents status="Resolved" comment="autoclose"

it may take a moment uppon how many open incidents you have.

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...