Alerting

How to exclude/include last day of every month from a saved search alert?

MrWhoztheBoss
Explorer

Hi Everyone,

I have a base search at hand which is setup as an alert with a threshold value for it to trigger. I want to exclude this alert from running on last day of every month as threshold values expected are higher and setup and new cloned alert on it's place that runs on just the last day of the month.

Is there anyway in which we can do this ? I tried thinking about CRON schedule but managing 30/31 days doesn't seem to be possible with it and February(28/29) completely gets excluded.

Thanks in advance for any kind of help 😊

Labels (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @MrWhoztheBoss,

the easiest way is to exclude the last day of each month in the search condition, in other words, something like this:

if you have date_mday field, you can use something like this:

your_search NOT ((date_mday=31 AND date_month IN ("january","march","may","july","august","october","december")) OR (date_mday=30 AND date_month IN ("april","june","september","november")) OR (date_mday=29 AND date_month ="february") OR (date_mday=28) AND round(tonumber(strftime(_time,"%Y"))/4,2)-round(tonumber(strftime(_time,"%Y"))/4,0)>0))
| ...

otherwise, if you haven't date_mday and date_month and date_year, you have to extract them befor to test the condition, something like this:

your_search 
| eval date_mday=strftime(_time,"%d"), date_month=strftime(_time,"%m"), date_year=strftime(_time,"%Y")
| search NOT ((date_mday=31 AND date_month IN ("january","march","may","july","august","october","december")) OR (date_mday=30 AND date_month IN ("april","june","september","november")) OR (date_mday=29 AND date_month ="february") OR (date_mday=28) AND round(tonumber(strftime(_time,"%Y"))/4,2)-round(tonumber(strftime(_time,"%Y"))/4,0)>0))
| ...

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @MrWhoztheBoss,

the easiest way is to exclude the last day of each month in the search condition, in other words, something like this:

if you have date_mday field, you can use something like this:

your_search NOT ((date_mday=31 AND date_month IN ("january","march","may","july","august","october","december")) OR (date_mday=30 AND date_month IN ("april","june","september","november")) OR (date_mday=29 AND date_month ="february") OR (date_mday=28) AND round(tonumber(strftime(_time,"%Y"))/4,2)-round(tonumber(strftime(_time,"%Y"))/4,0)>0))
| ...

otherwise, if you haven't date_mday and date_month and date_year, you have to extract them befor to test the condition, something like this:

your_search 
| eval date_mday=strftime(_time,"%d"), date_month=strftime(_time,"%m"), date_year=strftime(_time,"%Y")
| search NOT ((date_mday=31 AND date_month IN ("january","march","may","july","august","october","december")) OR (date_mday=30 AND date_month IN ("april","june","september","november")) OR (date_mday=29 AND date_month ="february") OR (date_mday=28) AND round(tonumber(strftime(_time,"%Y"))/4,2)-round(tonumber(strftime(_time,"%Y"))/4,0)>0))
| ...

Ciao.

Giuseppe

MrWhoztheBoss
Explorer

Thank you @gcusello! that helped a lot.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If you can assume that the timeframe for the report either starts (which is the assumption I have used) or ends on the day in question, you could add this near the top of your search so that events for the last day of the month are stripped out

| addinfo
| where strftime(info_min_time,"%m") == strftime(relative_time(info_min_time,"+1d@d"),"%m")
| fields - info_*

This assume that your alert if based on the presence of events at the end of the report search.

0 Karma
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...