How to ignore or skip a particular timing in Splun...

shashank_24 · ‎09-17-2020

Hi, I have an alert which runs every 15 minutes as of now but what i want is to NOT trigger from 1:30 AM to 2:30 AM everyday. That's the time when my server cache gets flushed and the spike in the response time is usual. So I don't want to trigger the alert at this time.

Due to this we are getting false alarms.

How do i achieve this. My query is -

index=test sourcetype=access_combined_wcookie POST requested_content=/checkout/your-order* 
| timechart span=15m avg(response_time_sec) as AvgResponseTime by host 
| eval AvgResponseTime=round(AvgResponseTime,3)

thambisetty · ‎09-17-2020

you need to schedule same search multiple times with different cron jobs

*/15 0,3-23 * * *

The above schedules job except below schedules

1 , 1:15,[1:30,1:45,2,2:15,2:30],2:45

you need only three schedules from above except the ones enclosed in []

one cron is not possible to schedule job to run at 1,1:15 , 2:45 , you need two to achieve this.

so you will need total 3 different cron schedules as below

*/15 0,3-23 * * *  

00,15 1 * * * 

45 2 * * *

————————————
If this helps, give a like below.

shashank_24 · ‎09-17-2020

@thambisetty Ok it make sense. So even if i want to just exclude the time from 02:00 to 02:30 then also I would have to create multiple crons/searches. Right?

thambisetty · ‎09-18-2020

@shashank_24

yes, you are right.

————————————
If this helps, give a like below.

How to ignore or skip a particular timing in Splunk alert

alert action

alert condition

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?