Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Delete triggered alert if condition no longer matched

andrew207
Path Finder
‎04-25-2019 08:05 PM

I have an alert that runs every 1 minute and triggers when latest(status) = stopped.

If the alert runs and sees latest(status) = running, I want it to delete the triggered alert if there is one.

Is there a way to do this in Splunk?

Reply
1 Solution
Solved! Jump to solution
Solution

michael_bates_1
Path Finder
‎04-25-2019 08:51 PM

Hello Andrew,

I do not believe there is currently a simple way to achieve this solely from within Splunk itself (happy to be proven wrong though).

Options for a possible solution would include -

  • There are REST endpoints for "fired_alerts" that will list and allow DELETE operation, however the DELETE operation cannot be called from the rest search command.
    Subsequently, this would require an external script to perform the actions, and given scripted actions is deprecated, I cannot say how long it would continue to function.

  • You could look into some alternate Alert Mgmt apps (I have deployed this one in a number of places now, https://splunkbase.splunk.com/app/2665/ )

  • Other alternatives include lookups, writing events to index, etc

Again these are alternatives, not an answer to your question.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-25-2019 10:03 PM

There is a rest endpoint to do this but you are going to have to build your own modular alert action app to do this.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-25-2019 09:47 PM

What do you mean by delete the triggered alert, exactly?

0 Karma
Reply
Solved! Jump to solution

andrew207
Path Finder
‎04-25-2019 09:56 PM

I mean literally delete the triggered alert. In the UI there's a button to delete them, in the REST API there's an endpoint to delete them. I would like an option to delete them if events occur as I described in OP

0 Karma
Reply
Solved! Jump to solution
Solution

michael_bates_1
Path Finder
‎04-25-2019 08:51 PM

Hello Andrew,

I do not believe there is currently a simple way to achieve this solely from within Splunk itself (happy to be proven wrong though).

Options for a possible solution would include -

  • There are REST endpoints for "fired_alerts" that will list and allow DELETE operation, however the DELETE operation cannot be called from the rest search command.
    Subsequently, this would require an external script to perform the actions, and given scripted actions is deprecated, I cannot say how long it would continue to function.

  • You could look into some alternate Alert Mgmt apps (I have deployed this one in a number of places now, https://splunkbase.splunk.com/app/2665/ )

  • Other alternatives include lookups, writing events to index, etc

Again these are alternatives, not an answer to your question.

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...