All Apps and Add-ons

Is there a way to resolve multiple incidents at once in Alert Manager?

Explorer

we have lot of events which log error incidents every day and its a lot of manual work to close each incident manually.

I want a solution where i don't have to suppress any event alerts but I want to close those incidents after all I review them.

any ideas?

New Member

Hi,

Can I auto-resolve alerts based on other events with different status?
For example I have events:
ID Host Status
1221 Ex12 Critical
1312 Ex12 Normal

I want to auto close alert 1221 based on event 1312

0 Karma

SplunkTrust
SplunkTrust

Will be part of the next release https://github.com/simcen/alert_manager/issues/191

0 Karma

Path Finder

Thanks for the information.

0 Karma

Path Finder

Hi all,

Would you be please able to advise how to achieve closing multiple alerts at once through the Alert Manager app directly (Ideally on the incident posture tab). At the bottom part of the Incident posture tab can be 10 alerts, is there a possibility to have for example checkbox to select certain alerts and close it? Would be there any similar possibility how to achieve this idea?

0 Karma

Explorer

Thanks a ton Christian. We will implement this idea soon and I will let you know how this worked.

0 Karma

New Member

Does the query helped you in closing multiple open alerts in one go?

0 Karma

Explorer

hi, thanks for your reply.

can you let me know how do you implement this query? do you create a rule in splunk for the incidents to close? let me know more details about this process.

Thanks again for your response, appreciate it.

Thanks;
GAUTI

0 Karma

Path Finder

Hi

i use this usually to close all open tickets after the testing period to start with a clean sheet. If you plan to regulary close the incidents you should probably work with the auto resolve options. You see this options when you configure a Alert Manager trigger.

or the dirty way you just schedule the search above to run at a specific interval of your choice.

Christian

0 Karma

New Member

Can you please help me out how to close multiple open alerts in one go.as of now I am closing it manually with search incident option.

It would be great if you could send the steps how to set the query.

arkobardhan2011@gmail.com

0 Karma

Path Finder

Hi,

I am not sure if this is the solution to your problem but i close my incidents with this command.

index=alerts | table _time incident_id | dedup incident_id | modifyincidents status="Resolved" comment="autoclose"

it may take a moment uppon how many open incidents you have.