topic Re: Alert suppression in Splunk Search

Alert suppression

ahuihou — Tue, 28 Aug 2018 20:56:58 GMT

What is the best way to run a search to be alerted/emailed between 4pm-6am M-F, weekend and holidays? Should the search include the times or be adjusted in the cron schedule or lookup table? What would the example look like? Thanks.

Re: Alert suppression

pruthvikrishnap — Tue, 28 Aug 2018 21:32:46 GMT

Hi,
You can do this by adjusting the cron schedule which looks something like this.
The cron syntax is:

  0 7-19 * * 1-5  (run hourly, 7am-7pm inclusive, Mon-Fri) 
  0 7-16 * * 6  (run hourly, 7am-4pm inclusive, Saturday)

Let me know if this helps.

Re: Alert suppression

Shan — Wed, 29 Aug 2018 12:27:26 GMT

@ahuihou,

It's always best to go for cron schedule for your scenario.

Try below cron cmd to schedule for 4pm-6am runs at “At minute 0 past hour 16, 17, 18, 19, 20, 21, 22, 23, 0, 1, 2, 3, 4, 5, and 6.” of ever on everyday. Take cron from 00.

00 16,17,18,19,20,21,22,23,00,1,2,3,4,5,6 * * *

Re: Alert suppression

ahuihou — Wed, 29 Aug 2018 15:39:37 GMT

No alert during the daytime between 6am-4pm M-F. I want an alert during 4pm-6am + all weekend + all holidays. The holidays would be tricky. Would a lookup table or file be the best or a combination of cron + lookup? If so, how is this accomplished?

Re: Alert suppression

ahuihou — Wed, 29 Aug 2018 16:20:12 GMT

I want to get alerted M-F 4pm-6am + all weekend + all holidays. The tricky part would be the holidays. Would a lookup table + cron be the way to go? If so, how would I accomplish this?

Re: Alert suppression

ahuihou — Wed, 29 Aug 2018 16:20:41 GMT

I want to get alerted M-F 4pm-6am + all weekend + all holidays. The tricky part would be the holidays. Would a lookup table + cron be the way to go? If so, how would I accomplish this?

Re: Alert suppression

pruthvikrishnap — Wed, 29 Aug 2018 17:27:58 GMT

then you can set an alert to trigger between 4pm-6am everyday.
https://crontab.guru/

Re: Alert suppression

Shan — Wed, 29 Aug 2018 17:31:16 GMT

@ahuihou,

As per ur comment. I look like u need alert for all whole calendar year .. so u don't wanna specify any day ...

Re: Alert suppression

ahuihou — Wed, 29 Aug 2018 20:35:16 GMT

4pm-6am M-F
all day Saturday and Sunday 24hours
Holiday on Monday, all day Monday , Thanksgiving Thursday , all day Thursday. Does that make sense?

Re: Alert suppression

Shan — Thu, 30 Aug 2018 04:45:28 GMT

@ahuihou,

I think then you need to go for 4 different alert setup.
I don't think you can achieve all condition in same cron schedule.
Please try below option..

“At minute 0 past hour 16, 17, 18, 19, 20, 21, 22, 23, 0, 1, 2, 3, 4, 5, and 6 on Monday, Tuesday, Wednesday, Thursday, and Friday.” 

00 16,17,18,19,20,21,22,23,00,1,2,3,4,5,6 * * Mon,Tue,Wed,Thu,Fri

“At minute 0 past every hour on Saturday and Sunday.” 

00 */1 * * Sat,Sun

“At minute 0 past every hour on Monday.” 

00 */1 * * Mon

“At minute 0 past every hour on Thursday.” 

00 */1 * * Thu

Thanks ..