topic Re: Putting a list of hosts under maintenance in Alerting

Putting a list of hosts under maintenance

sureshkumaar — Fri, 31 Jul 2020 14:56:10 GMT

Can anyone please let me know how to put a list of hosts under maintenance so that Splunk doesn't trigger alerts for those hosts alone where ever it is used in Alerts.

Re: Putting a list of hosts under maintenance

richgalloway — Fri, 31 Jul 2020 17:28:45 GMT

In general, you could create a lookup file with the names of the hosts under maintenance. Your alert would need to check the lookup before issuing an alert. The exact method for doing so depends on your alert query, but something like this might work

<base search> NOT [ | inputlookup maintenanceHosts.csv | format ] | ...

Re: Putting a list of hosts under maintenance

sureshkumaar — Mon, 03 Aug 2020 09:19:20 GMT

Hi @richgalloway

Thanks for your reply

I tried something below and mentioned only one hosts in the csv file but still i found the events for that host as well.

Kindly let me know is there anything i need to modify/update in this query.

host=host1* OR host=host2* OR host=host3* NOT [ | inputlookup DecomMaint.csv | format ]

Re: Putting a list of hosts under maintenance

richgalloway — Mon, 03 Aug 2020 12:58:54 GMT

Use of parentheses may help. Also, the field name returned from the subsearch must match a field name in the main search (or use rename to make them match).

(host=host1* OR host=host2* OR host=host3*) NOT [ | inputlookup DecomMaint.csv | rename foo as host | fields host | format ]

Re: Putting a list of hosts under maintenance

sureshkumaar — Fri, 14 Aug 2020 13:46:12 GMT

@richgalloway - Apologize for the delay , i tried with 3 hosts in the query and added only one host in the CSV file but still it's returning for that host as well. Kindly help

Re: Putting a list of hosts under maintenance

richgalloway — Fri, 14 Aug 2020 13:56:37 GMT

Can you share your CSV file? Does it have a field called "foo"? If not, change "foo" to match the field name in the lookup file.

Re: Putting a list of hosts under maintenance

sureshkumaar — Fri, 14 Aug 2020 14:10:07 GMT

@richgalloway My CSV file has only one host with field called "host", i tried with this query also but returned the events for the host from the csv file also. Kindly suggest

Re: Putting a list of hosts under maintenance

richgalloway — Fri, 14 Aug 2020 14:15:44 GMT

What results do you get when running the subsearch ("| inputlookup" through "format") by itself?

Re: Putting a list of hosts under maintenance

sureshkumaar — Fri, 14 Aug 2020 14:41:27 GMT

@richgalloway i tried the query "| inputlookup DecomMaint.csv | fields host | format"

Re: Putting a list of hosts under maintenance

richgalloway — Fri, 14 Aug 2020 14:44:26 GMT

Thank you. That output tells me there is no "host" field in the lookup file. Again I ask you to kindly share the lookup file (change host names, if necessary).

Re: Putting a list of hosts under maintenance

sureshkumaar — Fri, 14 Aug 2020 15:26:55 GMT

@richgalloway - It's my BAD, in the lookup table "Destination filename" i updated without file extension ".csv" after typing file name with it's extension. It worked now successfully

Kindly let me know for below clarifications i needed and i can try testing as well

1. Do i need to update this search in the queries for all the alerts where the hosts is in usage?

NOT [ | inputlookup DecomMaint.csv | fields host | format ]

2. is there any way saving this maintenance search as an informational alert and look for all the alerts available in that Splunk and have this maintenance search query effectively run using cron expression setting for a period to not to show the hosts only during that time?

For Ex:- */10 0-1 * * * - setting this will make sure the maintenance query working only during 12 AM - 1 AM EST and results not returning the hosts which i mention in the Lookup file for that time 12 AM - 1 AM.

Re: Putting a list of hosts under maintenance

richgalloway — Fri, 14 Aug 2020 15:32:49 GMT

What you have now is the general method for eliminating hosts under maintenance from a query. Use this method in any search that needs to ignore hosts being maintained.

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.