Other Usage
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to automate Enable and Disable of Splunk Alerts Based on logs entry?

SplunkSN
Loves-to-Learn Everything
‎09-13-2023 09:50 AM

Hi All,

Is there any way to enable and disable the Splunk alerts automatically based on the  logs source.

e.g. We have Site1 and Site 2 is active-passive setup. 

 case1:- Site 1 is active and Site 2 is passive all Site 1 alerts should get enabled automatically. we can search for Site1 host as condition to enable alerts.

Case 2 :- Site 2 is active and Site 1 is passive all Site 2 alerts should get enabled automatically. we can search for Site2 host as condition to enable alerts.

 

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-13-2023 11:42 PM

Hi @SplunkSN,

if you're speaking of alerts on different Splunk servers, the only solution is to have a Search Head Cluster, so only one server will run alerts.

If instead you're speaking of alerts on one server and site1 and site2 are different hosts, you have to add this condition, as a filte, in your search.

In other words, if there's a condition to test (e.g. a status parameter, also in another search) to test to find the active host, you could run something like this:

<your_main_search> [ search <your_host_status_search> | dedup host | fields host ]
| ...

 Ciao.

Giuseppe

0 Karma
Reply

SplunkSN
Loves-to-Learn Everything
‎09-14-2023 06:51 AM

Hi @gcusello , Thank you for the reply.

Both the hosts are on same Splunk server.

We don't have any parameter in logs which identify. currently active site so we are using Host naming e.g., HostSite1, Hostsite2), how we would automate enable/disable of alerts based on the host name.

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-14-2023 07:10 AM

Hi @SplunkSN,

ok, but the logs you're using for the alert, come from two different hosts, one active and one passive.

So, if I correctly understood, you want to use only host1 if host1 is the active one and host2 if this is the active one.

One question, can you have both logs from host1 and host2?

if yes, are they different?

if they are the same you could dedup results using the duplicated fields that you have in your alert.

or you could group results so the host value isn't relevant, could you share your alert search?

Ciao.

Giuseppe

check if the host field in the results of your alarm is only the active host, in this case you can 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...