Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to automatically rerun failed alerts

codedtech
Path Finder
‎02-05-2021 09:44 AM

Hi,  I have 14 alerts that cover all the infrastructure, my company uses. I get my data from a data bus every 60 minutes, but when that fails and it can for (several hours at a time). I would like to not have to rerun the alerts manually. As a note I don't any elevated access to the Splunk instance or the environment so I can't install apps, add-ins, or update any conf files, but I do have access to the audit and internal indexes. 

Ideally I'd like my conditional trigger to be something like this:
index=_internal sourcetype=scheduler status=!success savedsearch_name="Stuff to search"
| table _time search_type status user app savedsearch_name result_count
|where result_count=0  then <search/commands to rerun alert every hour until results are in>

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-05-2021 10:18 AM

SPL doesn't have conditional execution commands.  Go to https://ideas.splunk.com to suggest them.

Failed alerts will re-run at the next interval.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...