I have an alert that runs every 1 minute and triggers when latest(status) = stopped
.
If the alert runs and sees latest(status) = running
, I want it to delete the triggered alert if there is one.
Is there a way to do this in Splunk?
Hello Andrew,
I do not believe there is currently a simple way to achieve this solely from within Splunk itself (happy to be proven wrong though).
Options for a possible solution would include -
There is a rest endpoint to do this but you are going to have to build your own modular alert
action app to do this.
What do you mean by delete the triggered alert
, exactly?
I mean literally delete the triggered alert. In the UI there's a button to delete them, in the REST API there's an endpoint to delete them. I would like an option to delete them if events occur as I described in OP
Hello Andrew,
I do not believe there is currently a simple way to achieve this solely from within Splunk itself (happy to be proven wrong though).
Options for a possible solution would include -