Re: Limit number of alerts in RSS

echalex · ‎08-07-2012

Hi,

I'm using an RSS feed to view alerts from a scheduled search. The purpose is to maintain a sort of dead man's grip monitoring that feed with a third party application. The RSS feed does not need authentication, which is why I prefer this over the RESTful API.

However, the RSS keeps track of the 30 latest alerts, even after they have expired. Is there a way not showing expired alert or limiting the number of alerts in the RSS feed?

bizza · ‎10-23-2014

UP

I tried to setup
items_count=1
in alert_actions.conf under [rss] stanza, as specified in .spec file,

items_count = <number>
    * Number of saved RSS feeds.
    * Cannot be more than maxresults (in the global settings).
    * Defaults to 30.

but I still found 30 items.

Any hint?

Ciao

echalex · ‎02-01-2015

Never really tried this, as it seems to me the items_count affects the RSS feeds of all alerts, not just this specific one.

amit_saxena · ‎09-12-2013

Hi,

I am not sure but I feel that once a search gets expired, the corresponding search results directory in "dispatch" folder also gets deleted.

If that's true, whenever you fetch RSS feed, you can extract the sub folder inside dispatch directory to see if it exists or not and if it does not exists, you can stop processing more on the RSS entry just fetched.

Let me know your views and if it helps.

Regards,
Amit Saxena

echalex · ‎02-01-2015

To be honest, I never tried this solution. This apparently requires shell access to the dispatch directory. Therefore it is not exactly in line with what I want to achieve.

Limit number of alerts in RSS

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases