Alerting

How to exclude/include last day of every month from a saved search alert?

MrWhoztheBoss
Explorer

Hi Everyone,

I have a base search at hand which is setup as an alert with a threshold value for it to trigger. I want to exclude this alert from running on last day of every month as threshold values expected are higher and setup and new cloned alert on it's place that runs on just the last day of the month.

Is there anyway in which we can do this ? I tried thinking about CRON schedule but managing 30/31 days doesn't seem to be possible with it and February(28/29) completely gets excluded.

Thanks in advance for any kind of help 😊

Labels (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @MrWhoztheBoss,

the easiest way is to exclude the last day of each month in the search condition, in other words, something like this:

if you have date_mday field, you can use something like this:

your_search NOT ((date_mday=31 AND date_month IN ("january","march","may","july","august","october","december")) OR (date_mday=30 AND date_month IN ("april","june","september","november")) OR (date_mday=29 AND date_month ="february") OR (date_mday=28) AND round(tonumber(strftime(_time,"%Y"))/4,2)-round(tonumber(strftime(_time,"%Y"))/4,0)>0))
| ...

otherwise, if you haven't date_mday and date_month and date_year, you have to extract them befor to test the condition, something like this:

your_search 
| eval date_mday=strftime(_time,"%d"), date_month=strftime(_time,"%m"), date_year=strftime(_time,"%Y")
| search NOT ((date_mday=31 AND date_month IN ("january","march","may","july","august","october","december")) OR (date_mday=30 AND date_month IN ("april","june","september","november")) OR (date_mday=29 AND date_month ="february") OR (date_mday=28) AND round(tonumber(strftime(_time,"%Y"))/4,2)-round(tonumber(strftime(_time,"%Y"))/4,0)>0))
| ...

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @MrWhoztheBoss,

the easiest way is to exclude the last day of each month in the search condition, in other words, something like this:

if you have date_mday field, you can use something like this:

your_search NOT ((date_mday=31 AND date_month IN ("january","march","may","july","august","october","december")) OR (date_mday=30 AND date_month IN ("april","june","september","november")) OR (date_mday=29 AND date_month ="february") OR (date_mday=28) AND round(tonumber(strftime(_time,"%Y"))/4,2)-round(tonumber(strftime(_time,"%Y"))/4,0)>0))
| ...

otherwise, if you haven't date_mday and date_month and date_year, you have to extract them befor to test the condition, something like this:

your_search 
| eval date_mday=strftime(_time,"%d"), date_month=strftime(_time,"%m"), date_year=strftime(_time,"%Y")
| search NOT ((date_mday=31 AND date_month IN ("january","march","may","july","august","october","december")) OR (date_mday=30 AND date_month IN ("april","june","september","november")) OR (date_mday=29 AND date_month ="february") OR (date_mday=28) AND round(tonumber(strftime(_time,"%Y"))/4,2)-round(tonumber(strftime(_time,"%Y"))/4,0)>0))
| ...

Ciao.

Giuseppe

MrWhoztheBoss
Explorer

Thank you @gcusello! that helped a lot.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If you can assume that the timeframe for the report either starts (which is the assumption I have used) or ends on the day in question, you could add this near the top of your search so that events for the last day of the month are stripped out

| addinfo
| where strftime(info_min_time,"%m") == strftime(relative_time(info_min_time,"+1d@d"),"%m")
| fields - info_*

This assume that your alert if based on the presence of events at the end of the report search.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...