Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to ignore messages logged during application restart?

unitedmarsupial
Path Finder
‎12-01-2021 01:37 PM

We have an application, that sends all its log-messages to Splunk (so far so good), and an alert configured to fire, whenever a message with severity above INFO-level is logged.

This works Ok most of the time, except when the application restarts there are multiple such warnings and errors logged by some of its threads. We don't care for these, because the main thread has already announced, that it is shutting down.

How can I phrase the search underlying our alert to exclude any log-entries made after the "I am shutting down" and before the "I started up" ones?

To clarify: we want Splunk to receive all the log-entries, we just don't want the alert to be triggered by those, that are emitted during the program restart...

Labels (1)
Labels
0 Karma
Reply

unitedmarsupial
Path Finder
‎12-21-2021 05:42 PM

@Anonymous, no, that's not, what I meant... The downtimes are not scheduled (well, not precisely scheduled), but the application always logs something like "Ok, I'm shutting down", when it is being shut down, and "Started successfully", when it finishes starting back up later.

I'd like my alert to ignore any and all messages logged in between those two. I know, messages can be grouped -- with transaction -- and there are examples for charting how long something took by substracting the start- from the end-timestamp.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-22-2021 01:23 AM

Hi

I think that this should be a doable? Just create a SPL query which take care of those unwanted events. Maybe something like this?

  1. Your normal query with events which shows shutdown + start time of that service
  2. sort 0 by _time ?
  3. get shutdown + start time e.g. with eventstats (only one restart exists) or streamstats (more than one restarts within time period)
  4. Drop events which are between start and end time (could be little bit challenging with many restarts 🙂

r. Ismo

0 Karma
Reply

Gr0und_Z3r0
Contributor
‎12-02-2021 06:00 AM

From the looks of it, you want to suppress alerts during a planned/known outage time window and also at the same time want to have alerts during the normal operational window if the system fails/reboots. Unfortunately Splunk doesn't provide alert suppression windows, your only best bet is to disable alerts during the planned outage window and re-enable them once the activity is completed successfully.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...