Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to put an expiration date on a set of saved searches/alerts so after a specified date, they will no longer run?

daniel333
Builder
‎02-09-2016 09:02 AM

All,

New to macros, hoping someone can hammer something out for me or at least point me in the right direction. I am not 100% sure Macros are what I need.

Problem:
I want to put expiration dates on a certain set of saved searches. That is, I want this alert after 6/15/2016 to no longer run. The job should run and just log out the alert as expired or something. Also helpful would be a line of code to warns the job is going to expire in 1 month giving the consumer of the job 30 days notice.

Thinking:
What I think I need to do is create a macros on my job that takes a parameter of the date I want it expire on. In the Macro I should set with an eval alertlifetime="good"|"expiringsoon"|"expiring" and include alertlifetime in the alert subject line as a token. But I am not sold on this solution. If there is something better I am open to it.

Example:

tag=java tag=problem expiremacro("6/6/16") | stats count by host, alertlifetime
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-09-2016 11:33 AM

Looks like you're anyways hard-coding the date in the search, so I don't see any use of macro as such. My suggestion many not look so clean like your macro implementation, but should do the task. Try something like this

 tag=java tag=problem [| gentimes start=-1 | eval search=if(now()>=strptime("2/16/16","%m/%d/%y"),"1=2",1=1) | table search] 
| stats count by host
| eval Comment=[| gentimes start=-1 | eval DayDiff=abs(round((now()-strptime("2/16/16","%m/%d/%y"))/86400)) | eval search=if(DayDiff<=30,"Alert Expiring in ".tostring(DayDiff)." days","All Good") | table search | eval search="\"".search."\""]

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-09-2016 11:33 AM

Looks like you're anyways hard-coding the date in the search, so I don't see any use of macro as such. My suggestion many not look so clean like your macro implementation, but should do the task. Try something like this

 tag=java tag=problem [| gentimes start=-1 | eval search=if(now()>=strptime("2/16/16","%m/%d/%y"),"1=2",1=1) | table search] 
| stats count by host
| eval Comment=[| gentimes start=-1 | eval DayDiff=abs(round((now()-strptime("2/16/16","%m/%d/%y"))/86400)) | eval search=if(DayDiff<=30,"Alert Expiring in ".tostring(DayDiff)." days","All Good") | table search | eval search="\"".search."\""]
Reply
Solved! Jump to solution

marcospmr
Explorer
‎04-25-2016 06:48 AM

I'm trying this on 6.4, but it's not working. It's not accepting 1=1 as a argument. Any ideas?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-25-2016 09:59 AM

Any specific error you're getting?

0 Karma
Reply
Solved! Jump to solution

marcospmr
Explorer
‎04-25-2016 10:09 AM

The count of events is getting 0 results.

For troubleshooting purposes, i've tried to run the search like this:

index=* [| gentimes start=-1 | eval search=if(now()>=strptime("05/30/16","%m/%d/%y"),"1=2","1=1") | table search]

The result is: "No results found."

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-25-2016 11:33 AM

Try using field name in subsearch as "query" instead of "search".

0 Karma
Reply
Solved! Jump to solution

sk314
Builder
‎02-09-2016 04:43 PM

what sorcery is this? 🙂

Reply
Solved! Jump to solution

daniel333
Builder
‎02-10-2016 06:37 AM

Wow! I have 0 idea what is going on in that search. But I'll give it a shot tonight. Thanks for getting back to me.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-10-2016 07:12 AM

Ok.. so let's make that 0 to some positive number..

[| gentimes start=-1 | eval search=if(now()>=strptime("2/16/16","%m/%d/%y"),"1=2",1=1) | table search]

The first subsearch (above) compares the current time with cut-off date (2/16/16 here) and returns a string (that's why I used the field name as search so it's value is returned) with 1=2 (current date is after your cut-off date, search will not run) OR 1=1 (just the opposite).

[| gentimes start=-1 | eval DayDiff=abs(round((now()-strptime("2/16/16","%m/%d/%y"))/86400)) | eval search=if(DayDiff<=30,"Alert Expiring in ".tostring(DayDiff)." days","All Good") | table search | eval search="\"".search."\""]

The second subsearch again returns a string "All good" if there are more than 30 days till cut-off date OR alert expiring message with no of days otherwise. (since we set a value of field Comment here, it should be enclosed within double quotes)

Reply
Solved! Jump to solution

joxley
Path Finder
‎04-25-2016 04:33 AM

Returning 1=2 into the main search to stop it from running is a really good trick. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...