×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Amit_Sharma1
Engager
Member since: ‎11-28-2023
‎09-08-2025
Community Statistics
Posts 4
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎11-28-2023
View All

Re: Problem resolution alert using splunk and send...

by in Alerting
‎09-08-2025 05:50 PM
‎09-08-2025 05:50 PM
This worked with some tweaking and I see the alerts are getting cleared. Now I am facing the issue how to clear this on pagerduty. I will see if the webhook allows me to clear it by any way or needs the splunk- pagerduty app to do it. Thanks for your solution. ... View more

Re: Problem resolution alert using splunk and send...

by in Alerting
‎09-02-2025 06:51 PM
‎09-02-2025 06:51 PM
Thanks livehybrid. I have applied the changes and so far not received any alert. I will wait for the threshold to be breached and see if it clears the alert based on the lookup entry. So far i tested it manually by decreasing the threshold it created a lookup entry with alert status changing from 1 to 0. Thanks, Amit ... View more

Re: Problem resolution alert using splunk and send...

by in Alerting
‎08-31-2025 11:34 PM
‎08-31-2025 11:34 PM
Thanks @PrewinThomas  for looking and replying. With this solution it will keep on triggering the resolution alert after every 30 min window(based on my alert condition) as it is always below threshold. My requirement is as below I need an alert trigger as soon as error_rate crosses 30% and if it is below 30% clear the existing alert on pagerduty and this check should run every 30 min. I do not need any alert(pagerduty notification) if it is below 30%(which means clear alert). Thanks, Amit ... View more

Problem resolution alert using splunk and send it ...

by in Alerting
‎08-31-2025 05:44 PM
‎08-31-2025 05:44 PM
Hi Splunkers, I am working on an alert which calculates the error rate (> 30%)and send the alerts to pagerduty via API index="test1" source="mylogs"  NOT "TEST" earliest=-30m latest=now (":search-result match-indicator=\"PASS\" *******query******* | stats count(id) AS OKStats | appendcols [ search source=mylogs (":search-result match-indicator=\"ERROR\" *******query*******) NOT "TEST" earliest=-30m latest=now | stats count(id) AS ERRORStats] | eval TotalTransactions = OKStats + ERRORStats | eval ErrorRate = if(TotalTransactions > 0, round((DFAT_AP_ERR / TotalTransactions) * 100, 2), 0) | where ErrorRate >= 30 | eval dedup_key="HighErrorRate" | table ErrorRate, dedup_key Now to clear the alert, I created another alert(<30%) index="serverlogs" source="mylogs"  NOT "TEST" earliest=-30m latest=now (":search-result match-indicator=\"PASS\" ************myqueryparams************ | stats count(id) AS OKStats | appendcols [ search source=mylogs (":search-result match-indicator=\"ERROR\" ************myqueryparams************) NOT "TEST" earliest=-30m latest=now | stats count(id) AS ERRORStats] | bin _time span=5m | eval ErrorPercent = if((OKStats + ERRORStats) > 0, round(ERRORStats / (OKStats + ERRORStats) * 100, 2), 0) | sort -_time | streamstats window=2 latest(ErrorPercent) as latest_percent, latest(_time) as latest_time, earliest(ErrorPercent) as earliest_percent | where latest_time = _time AND latest_percent < 30 AND earliest_percent >= 30 | head 1 | eval dedup_key="HighErrorRate" | table latest_percent, earliest_percent, dedup_key I created two conditions and sending to pagerduty(number of rows >1),running every 30min and enabled throttle. I do not see the second alert working or clearing the alert.  Any advice how to achieve the clearing of alerts which means the alert should be cleared on pagerduty. Currently creating python script is out of scope due to security reasons. Hence, was trying it via splunk query. Regards, Amit ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎09-08-2025 05:48 PM
Karma given to
View All