AppD Archive

Orphaned Health Rule violations remain open

CommunityUser
Splunk Employee
Splunk Employee

Hi,

I have some health rule violations that are stuck open.  The actual rule was deleted now they show as "Health Rule: Not found (id 19683)" and remain open.

How can these be forced closed/cancelled?

Thanks,

0 Karma

Arun_Dasetty
Super Champion

Hi,

Apologies for delay in response, if this still an issue and if this is an on premise local controller, see if below information helps:

Navigate to controller installation directory and open mysql prompt:
shell> cd <Controller_install_dir>/bin
shell> ./controller.sh login-db
User controller.bat if this is windows controller

mysql> select * from incident where health_rule_id =19683 and end_time is null;

replace 122222 in below query with value from incident id captured from above query output

mysql> update incident set end_time = 1473397200000, status = 'CANCELLED' where id = 122222;


0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...