Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Disable splunk alert from 11PM to 2AM everyday AND from 3AM to 6AM Sunday?

HKLM
New Member
‎01-14-2019 07:53 PM

I want to stop getting alerted for specific events that happen which may be increased during maintenance times ( as I don't want to neglect only those alerts, , and I want to avoid them spamming my inbox)
(everyday 11PM-2AM) AND (Sunday 3AM-6AM)

Any advice on this?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎01-14-2019 10:56 PM

@HKLM One of the options would be use two separate crons (Following are once per hour, but you can increase frequency as per your needs):
1) Mon- Sat which runs from 02:00 AM to 23:00 PM: 0 2-23 * * 1-6
2) Sun from 00:00 AM to 03:00 AM and 06:00 AM to 23:00 PM: 0 0-3,6-23 * * 7

Other option would be to handle in your query based on default extracted time fieldsdate_wday and date_hour so that they do not return any events during blackout maintenance window: https://answers.splunk.com/answers/24824/can-i-set-a-blackout-period-for-a-scheduled-search-during-w...

You can definitely combine both approaches as well. So that Alert does not trigger in maintenance window and query also takes care of the same.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎01-14-2019 10:56 PM

@HKLM One of the options would be use two separate crons (Following are once per hour, but you can increase frequency as per your needs):
1) Mon- Sat which runs from 02:00 AM to 23:00 PM: 0 2-23 * * 1-6
2) Sun from 00:00 AM to 03:00 AM and 06:00 AM to 23:00 PM: 0 0-3,6-23 * * 7

Other option would be to handle in your query based on default extracted time fieldsdate_wday and date_hour so that they do not return any events during blackout maintenance window: https://answers.splunk.com/answers/24824/can-i-set-a-blackout-period-for-a-scheduled-search-during-w...

You can definitely combine both approaches as well. So that Alert does not trigger in maintenance window and query also takes care of the same.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

HKLM
New Member
‎01-15-2019 06:00 AM

hi @niketn
thanks for your comment.
Can you clarify the 2nd option. I tried to read through the link you provided, it seems a different issue than mine, I have a query like this;
index="os" sourcetype=DBCon source IN ("os_netlogs") no endpoint listening at http://cic.cb.com/PartyLS_HTTPRout/port

0 Karma
Reply
Solved! Jump to solution

HKLM
New Member
‎01-15-2019 06:58 AM

by the way the 2nd cron expression should be 0 0-3,6-23 * * 0

as Sunday is 0 not 7.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...