Alerting

How create a schedule alert just after 17:00, holidays and weekend?

jfeitosa
Path Finder

I need to schedule an alert that triggers an email alert just after 17:00, holidays and weekend. It's possible?

Tags (1)
0 Karma
1 Solution

sundareshr
Legend

How about something like this. You will need to create a lookup table with list of holidays. Schedule this to run at midnight and at 5 PM and set a throttle in your alert for 234hrs. So, if the holiday or weekend fires, the 5:00pm will not trigger.

| gentimes start=-1 | eval t=now() | eval today=strftime(t, "format to match lookup field") | lookup csvfilewithlistofholidays.csv datefield AS today OUTPUT holidayflag | eval dow=strftime(dow(), "%a") | eval weekendflag=if(dow="Sun" OR dow="Sat", "YES", null()) | eval timeflag=if(strftime(now(), "%H")=17 AND strftime(now(), "%M")<=5 | where timeflag="YES" OR holidayflag="YES" OR weekendflag="YES"

View solution in original post

jfeitosa
Path Finder

OK, thanks guys for the help. I think that create a list of the holidays is a good idea.

0 Karma

gcusello
SplunkTrust
SplunkTrust

To execute search only in week end you can use cron (setting 0 17 * * 6,7).
To manage holidays you have to create a lookup with all your year holidays and manage it in your search.
Bye.
Giuseppe

0 Karma

sundareshr
Legend

How about something like this. You will need to create a lookup table with list of holidays. Schedule this to run at midnight and at 5 PM and set a throttle in your alert for 234hrs. So, if the holiday or weekend fires, the 5:00pm will not trigger.

| gentimes start=-1 | eval t=now() | eval today=strftime(t, "format to match lookup field") | lookup csvfilewithlistofholidays.csv datefield AS today OUTPUT holidayflag | eval dow=strftime(dow(), "%a") | eval weekendflag=if(dow="Sun" OR dow="Sat", "YES", null()) | eval timeflag=if(strftime(now(), "%H")=17 AND strftime(now(), "%M")<=5 | where timeflag="YES" OR holidayflag="YES" OR weekendflag="YES"

richgalloway
SplunkTrust
SplunkTrust

Weekends are easy. Use the following cron setting 0 17 * * 6,7.
Holidays are not possible, IMO. In Linux, one could create a crontab with all holidays in it, but there is no such thing in Splunk. Splunk limits us to a single cron string.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...