Hi Everyone,
I have a base search at hand which is setup as an alert with a threshold value for it to trigger. I want to exclude this alert from running on last day of every month as threshold values expected are higher and setup and new cloned alert on it's place that runs on just the last day of the month.
Is there anyway in which we can do this ? I tried thinking about CRON schedule but managing 30/31 days doesn't seem to be possible with it and February(28/29) completely gets excluded.
Thanks in advance for any kind of help 😊
Hi @MrWhoztheBoss,
the easiest way is to exclude the last day of each month in the search condition, in other words, something like this:
if you have date_mday field, you can use something like this:
your_search NOT ((date_mday=31 AND date_month IN ("january","march","may","july","august","october","december")) OR (date_mday=30 AND date_month IN ("april","june","september","november")) OR (date_mday=29 AND date_month ="february") OR (date_mday=28) AND round(tonumber(strftime(_time,"%Y"))/4,2)-round(tonumber(strftime(_time,"%Y"))/4,0)>0))
| ...
otherwise, if you haven't date_mday and date_month and date_year, you have to extract them befor to test the condition, something like this:
your_search
| eval date_mday=strftime(_time,"%d"), date_month=strftime(_time,"%m"), date_year=strftime(_time,"%Y")
| search NOT ((date_mday=31 AND date_month IN ("january","march","may","july","august","october","december")) OR (date_mday=30 AND date_month IN ("april","june","september","november")) OR (date_mday=29 AND date_month ="february") OR (date_mday=28) AND round(tonumber(strftime(_time,"%Y"))/4,2)-round(tonumber(strftime(_time,"%Y"))/4,0)>0))
| ...
Ciao.
Giuseppe
Hi @MrWhoztheBoss,
the easiest way is to exclude the last day of each month in the search condition, in other words, something like this:
if you have date_mday field, you can use something like this:
your_search NOT ((date_mday=31 AND date_month IN ("january","march","may","july","august","october","december")) OR (date_mday=30 AND date_month IN ("april","june","september","november")) OR (date_mday=29 AND date_month ="february") OR (date_mday=28) AND round(tonumber(strftime(_time,"%Y"))/4,2)-round(tonumber(strftime(_time,"%Y"))/4,0)>0))
| ...
otherwise, if you haven't date_mday and date_month and date_year, you have to extract them befor to test the condition, something like this:
your_search
| eval date_mday=strftime(_time,"%d"), date_month=strftime(_time,"%m"), date_year=strftime(_time,"%Y")
| search NOT ((date_mday=31 AND date_month IN ("january","march","may","july","august","october","december")) OR (date_mday=30 AND date_month IN ("april","june","september","november")) OR (date_mday=29 AND date_month ="february") OR (date_mday=28) AND round(tonumber(strftime(_time,"%Y"))/4,2)-round(tonumber(strftime(_time,"%Y"))/4,0)>0))
| ...
Ciao.
Giuseppe
Thank you @gcusello! that helped a lot.
If you can assume that the timeframe for the report either starts (which is the assumption I have used) or ends on the day in question, you could add this near the top of your search so that events for the last day of the month are stripped out
| addinfo
| where strftime(info_min_time,"%m") == strftime(relative_time(info_min_time,"+1d@d"),"%m")
| fields - info_*
This assume that your alert if based on the presence of events at the end of the report search.