Other Usage
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to automate Enable and Disable of Splunk Alerts Based on logs entry?

SplunkSN
Loves-to-Learn Everything
‎09-13-2023 09:50 AM

Hi All,

Is there any way to enable and disable the Splunk alerts automatically based on the  logs source.

e.g. We have Site1 and Site 2 is active-passive setup. 

 case1:- Site 1 is active and Site 2 is passive all Site 1 alerts should get enabled automatically. we can search for Site1 host as condition to enable alerts.

Case 2 :- Site 2 is active and Site 1 is passive all Site 2 alerts should get enabled automatically. we can search for Site2 host as condition to enable alerts.

 

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-13-2023 11:42 PM

Hi @SplunkSN,

if you're speaking of alerts on different Splunk servers, the only solution is to have a Search Head Cluster, so only one server will run alerts.

If instead you're speaking of alerts on one server and site1 and site2 are different hosts, you have to add this condition, as a filte, in your search.

In other words, if there's a condition to test (e.g. a status parameter, also in another search) to test to find the active host, you could run something like this:

<your_main_search> [ search <your_host_status_search> | dedup host | fields host ]
| ...

 Ciao.

Giuseppe

0 Karma
Reply

SplunkSN
Loves-to-Learn Everything
‎09-14-2023 06:51 AM

Hi @gcusello , Thank you for the reply.

Both the hosts are on same Splunk server.

We don't have any parameter in logs which identify. currently active site so we are using Host naming e.g., HostSite1, Hostsite2), how we would automate enable/disable of alerts based on the host name.

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-14-2023 07:10 AM

Hi @SplunkSN,

ok, but the logs you're using for the alert, come from two different hosts, one active and one passive.

So, if I correctly understood, you want to use only host1 if host1 is the active one and host2 if this is the active one.

One question, can you have both logs from host1 and host2?

if yes, are they different?

if they are the same you could dedup results using the duplicated fields that you have in your alert.

or you could group results so the host value isn't relevant, could you share your alert search?

Ciao.

Giuseppe

check if the host field in the results of your alarm is only the active host, in this case you can 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...