Alerting

How to exclude/include last day of every month from a saved search alert?

MrWhoztheBoss
Explorer

Hi Everyone,

I have a base search at hand which is setup as an alert with a threshold value for it to trigger. I want to exclude this alert from running on last day of every month as threshold values expected are higher and setup and new cloned alert on it's place that runs on just the last day of the month.

Is there anyway in which we can do this ? I tried thinking about CRON schedule but managing 30/31 days doesn't seem to be possible with it and February(28/29) completely gets excluded.

Thanks in advance for any kind of help 😊

Labels (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @MrWhoztheBoss,

the easiest way is to exclude the last day of each month in the search condition, in other words, something like this:

if you have date_mday field, you can use something like this:

your_search NOT ((date_mday=31 AND date_month IN ("january","march","may","july","august","october","december")) OR (date_mday=30 AND date_month IN ("april","june","september","november")) OR (date_mday=29 AND date_month ="february") OR (date_mday=28) AND round(tonumber(strftime(_time,"%Y"))/4,2)-round(tonumber(strftime(_time,"%Y"))/4,0)>0))
| ...

otherwise, if you haven't date_mday and date_month and date_year, you have to extract them befor to test the condition, something like this:

your_search 
| eval date_mday=strftime(_time,"%d"), date_month=strftime(_time,"%m"), date_year=strftime(_time,"%Y")
| search NOT ((date_mday=31 AND date_month IN ("january","march","may","july","august","october","december")) OR (date_mday=30 AND date_month IN ("april","june","september","november")) OR (date_mday=29 AND date_month ="february") OR (date_mday=28) AND round(tonumber(strftime(_time,"%Y"))/4,2)-round(tonumber(strftime(_time,"%Y"))/4,0)>0))
| ...

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @MrWhoztheBoss,

the easiest way is to exclude the last day of each month in the search condition, in other words, something like this:

if you have date_mday field, you can use something like this:

your_search NOT ((date_mday=31 AND date_month IN ("january","march","may","july","august","october","december")) OR (date_mday=30 AND date_month IN ("april","june","september","november")) OR (date_mday=29 AND date_month ="february") OR (date_mday=28) AND round(tonumber(strftime(_time,"%Y"))/4,2)-round(tonumber(strftime(_time,"%Y"))/4,0)>0))
| ...

otherwise, if you haven't date_mday and date_month and date_year, you have to extract them befor to test the condition, something like this:

your_search 
| eval date_mday=strftime(_time,"%d"), date_month=strftime(_time,"%m"), date_year=strftime(_time,"%Y")
| search NOT ((date_mday=31 AND date_month IN ("january","march","may","july","august","october","december")) OR (date_mday=30 AND date_month IN ("april","june","september","november")) OR (date_mday=29 AND date_month ="february") OR (date_mday=28) AND round(tonumber(strftime(_time,"%Y"))/4,2)-round(tonumber(strftime(_time,"%Y"))/4,0)>0))
| ...

Ciao.

Giuseppe

MrWhoztheBoss
Explorer

Thank you @gcusello! that helped a lot.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If you can assume that the timeframe for the report either starts (which is the assumption I have used) or ends on the day in question, you could add this near the top of your search so that events for the last day of the month are stripped out

| addinfo
| where strftime(info_min_time,"%m") == strftime(relative_time(info_min_time,"+1d@d"),"%m")
| fields - info_*

This assume that your alert if based on the presence of events at the end of the report search.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...