we have lot of events which log error incidents every day and its a lot of manual work to close each incident manually.
I want a solution where i don't have to suppress any event alerts but I want to close those incidents after all I review them.
Can I auto-resolve alerts based on other events with different status?
For example I have events:
ID Host Status
1221 Ex12 Critical
1312 Ex12 Normal
I want to auto close alert 1221 based on event 1312
Would you be please able to advise how to achieve closing multiple alerts at once through the Alert Manager app directly (Ideally on the incident posture tab). At the bottom part of the Incident posture tab can be 10 alerts, is there a possibility to have for example checkbox to select certain alerts and close it? Would be there any similar possibility how to achieve this idea?
hi, thanks for your reply.
can you let me know how do you implement this query? do you create a rule in splunk for the incidents to close? let me know more details about this process.
Thanks again for your response, appreciate it.
i use this usually to close all open tickets after the testing period to start with a clean sheet. If you plan to regulary close the incidents you should probably work with the auto resolve options. You see this options when you configure a Alert Manager trigger.
or the dirty way you just schedule the search above to run at a specific interval of your choice.
Can you please help me out how to close multiple open alerts in one go.as of now I am closing it manually with search incident option.
It would be great if you could send the steps how to set the query.
I am not sure if this is the solution to your problem but i close my incidents with this command.
index=alerts | table _time incident_id | dedup incident_id | modifyincidents status="Resolved" comment="autoclose"
it may take a moment uppon how many open incidents you have.