Is there any way to enable and disable the Splunk alerts automatically based on the logs source.
e.g. We have Site1 and Site 2 is active-passive setup.
case1:- Site 1 is active and Site 2 is passive all Site 1 alerts should get enabled automatically. we can search for Site1 host as condition to enable alerts.
Case 2 :- Site 2 is active and Site 1 is passive all Site 2 alerts should get enabled automatically. we can search for Site2 host as condition to enable alerts.
if you're speaking of alerts on different Splunk servers, the only solution is to have a Search Head Cluster, so only one server will run alerts.
If instead you're speaking of alerts on one server and site1 and site2 are different hosts, you have to add this condition, as a filte, in your search.
In other words, if there's a condition to test (e.g. a status parameter, also in another search) to test to find the active host, you could run something like this:
<your_main_search> [ search <your_host_status_search> | dedup host | fields host ] | ...
Hi @gcusello , Thank you for the reply.
Both the hosts are on same Splunk server.
We don't have any parameter in logs which identify. currently active site so we are using Host naming e.g., HostSite1, Hostsite2), how we would automate enable/disable of alerts based on the host name.
ok, but the logs you're using for the alert, come from two different hosts, one active and one passive.
So, if I correctly understood, you want to use only host1 if host1 is the active one and host2 if this is the active one.
One question, can you have both logs from host1 and host2?
if yes, are they different?
if they are the same you could dedup results using the duplicated fields that you have in your alert.
or you could group results so the host value isn't relevant, could you share your alert search?
check if the host field in the results of your alarm is only the active host, in this case you can