Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to ignore or skip a particular timing in Splunk alert

shashank_24
Path Finder
‎09-17-2020 03:15 AM

Hi, I have an alert which runs every 15 minutes as of now but what i want is to NOT trigger from 1:30 AM to 2:30 AM everyday. That's the time when my server cache gets flushed and the spike in the response time is usual. So I don't want to trigger the alert at this time.

Due to this we are getting false alarms.

How do i achieve this. My query is -

 

 

 

index=test sourcetype=access_combined_wcookie POST requested_content=/checkout/your-order* 
| timechart span=15m avg(response_time_sec) as AvgResponseTime by host 
| eval AvgResponseTime=round(AvgResponseTime,3)

 

 

 

 

Labels (2)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-17-2020 04:06 AM

you need to schedule same search multiple times with different cron jobs

*/15 0,3-23 * * *  

The above schedules job except below schedules

1 , 1:15,[1:30,1:45,2,2:15,2:30],2:45

you need only three schedules from above except the ones enclosed in []

one cron is not possible to schedule job to run  at 1,1:15 , 2:45 , you need two to achieve this.

so you will need total 3 different cron schedules  as below

*/15 0,3-23 * * *  

00,15 1 * * * 

45 2 * * *

 

————————————
If this helps, give a like below.
0 Karma
Reply

shashank_24
Path Finder
‎09-17-2020 09:06 AM

@thambisetty Ok it make sense. So even if i want to just exclude the time from 02:00 to 02:30 then also I would have to create multiple crons/searches. Right?

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-18-2020 12:49 AM

@shashank_24 

yes, you are right.

————————————
If this helps, give a like below.
0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...