Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Disable splunk alert from 11PM to 2AM everyday AND from 3AM to 6AM Sunday?

HKLM
New Member
‎01-14-2019 07:53 PM

I want to stop getting alerted for specific events that happen which may be increased during maintenance times ( as I don't want to neglect only those alerts, , and I want to avoid them spamming my inbox)
(everyday 11PM-2AM) AND (Sunday 3AM-6AM)

Any advice on this?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎01-14-2019 10:56 PM

@HKLM One of the options would be use two separate crons (Following are once per hour, but you can increase frequency as per your needs):
1) Mon- Sat which runs from 02:00 AM to 23:00 PM: 0 2-23 * * 1-6
2) Sun from 00:00 AM to 03:00 AM and 06:00 AM to 23:00 PM: 0 0-3,6-23 * * 7

Other option would be to handle in your query based on default extracted time fieldsdate_wday and date_hour so that they do not return any events during blackout maintenance window: https://answers.splunk.com/answers/24824/can-i-set-a-blackout-period-for-a-scheduled-search-during-w...

You can definitely combine both approaches as well. So that Alert does not trigger in maintenance window and query also takes care of the same.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎01-14-2019 10:56 PM

@HKLM One of the options would be use two separate crons (Following are once per hour, but you can increase frequency as per your needs):
1) Mon- Sat which runs from 02:00 AM to 23:00 PM: 0 2-23 * * 1-6
2) Sun from 00:00 AM to 03:00 AM and 06:00 AM to 23:00 PM: 0 0-3,6-23 * * 7

Other option would be to handle in your query based on default extracted time fieldsdate_wday and date_hour so that they do not return any events during blackout maintenance window: https://answers.splunk.com/answers/24824/can-i-set-a-blackout-period-for-a-scheduled-search-during-w...

You can definitely combine both approaches as well. So that Alert does not trigger in maintenance window and query also takes care of the same.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

HKLM
New Member
‎01-15-2019 06:00 AM

hi @niketn
thanks for your comment.
Can you clarify the 2nd option. I tried to read through the link you provided, it seems a different issue than mine, I have a query like this;
index="os" sourcetype=DBCon source IN ("os_netlogs") no endpoint listening at http://cic.cb.com/PartyLS_HTTPRout/port

0 Karma
Reply
Solved! Jump to solution

HKLM
New Member
‎01-15-2019 06:58 AM

by the way the 2nd cron expression should be 0 0-3,6-23 * * 0

as Sunday is 0 not 7.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...