Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Alert with time exclusion
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have setup an alert to run a search every 10 minutes which looks for a specific Event Code and a Message string. I want this to return results except for times between 12:30am and 1:30am. How can I do this? I tried the following below but it is not working:
index=*-windows-logs EventCode=7036 Message="Service Entered A Running State" | sort - _time | eval myHour=strftime(_time, "%H") | eval myMinute=strftime(_time, "%M") | where NOT ( (myHour > 00 AND myMinute >30 ) AND (myHour <01 AND myMinute < 30) ) | table _time, ComputerName, Message
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
UPDATED:
....
| where NOT ( (myHour="00" AND myMinute >30 ) OR (myHour="01" AND myMinute < 30))
| table _time, ComputerName, Message
OR
....
| where NOT ( (myHour=0 AND myMinute >30 ) OR (myHour=1 AND myMinute < 30))
| table _time, ComputerName, Message
hi, @johann2017
how about this?
myHour can use by both string and number.
However, numbers must be treated as described above.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
UPDATED:
....
| where NOT ( (myHour="00" AND myMinute >30 ) OR (myHour="01" AND myMinute < 30))
| table _time, ComputerName, Message
OR
....
| where NOT ( (myHour=0 AND myMinute >30 ) OR (myHour=1 AND myMinute < 30))
| table _time, ComputerName, Message
hi, @johann2017
how about this?
myHour can use by both string and number.
However, numbers must be treated as described above.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One more question, how can I exclude a larger time range? It seems that this works great for excluding within the same hour, but for instance if try to exclude between 00 and 04 it does not work properly. Example below:
index=*-windows-logs EventCode=7036 Message="Service Entered A Running State" | sort - _time | eval myHour=strftime(_time, "%H") | eval myMinute=strftime(_time, "%M") | where NOT ( (myHour > 00 AND myMinute >00 ) AND (myHour <04 AND myMinute < 00) ) | table _time, ComputerName, Message
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, how can I tell the search to only run within a specific timeframe, lets say between only 8am - 5pm?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can use index=your_index earliest=01/09/2020:08:00:00 latest=01/09/2020:17:00:00 Remaining search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @snallam123 !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That seems to have done it! Thanks!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas
Analytics Workspace deprecation
Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform
