Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to automatically rerun failed alerts

codedtech
Path Finder
‎02-05-2021 09:44 AM

Hi,  I have 14 alerts that cover all the infrastructure, my company uses. I get my data from a data bus every 60 minutes, but when that fails and it can for (several hours at a time). I would like to not have to rerun the alerts manually. As a note I don't any elevated access to the Splunk instance or the environment so I can't install apps, add-ins, or update any conf files, but I do have access to the audit and internal indexes. 

Ideally I'd like my conditional trigger to be something like this:
index=_internal sourcetype=scheduler status=!success savedsearch_name="Stuff to search"
| table _time search_type status user app savedsearch_name result_count
|where result_count=0  then <search/commands to rerun alert every hour until results are in>

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-05-2021 10:18 AM

SPL doesn't have conditional execution commands.  Go to https://ideas.splunk.com to suggest them.

Failed alerts will re-run at the next interval.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...