Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to put an expiration date on a set of saved searches/alerts so after a specified date, they will no longer run?

daniel333
Builder
‎02-09-2016 09:02 AM

All,

New to macros, hoping someone can hammer something out for me or at least point me in the right direction. I am not 100% sure Macros are what I need.

Problem:
I want to put expiration dates on a certain set of saved searches. That is, I want this alert after 6/15/2016 to no longer run. The job should run and just log out the alert as expired or something. Also helpful would be a line of code to warns the job is going to expire in 1 month giving the consumer of the job 30 days notice.

Thinking:
What I think I need to do is create a macros on my job that takes a parameter of the date I want it expire on. In the Macro I should set with an eval alertlifetime="good"|"expiringsoon"|"expiring" and include alertlifetime in the alert subject line as a token. But I am not sold on this solution. If there is something better I am open to it.

Example:

tag=java tag=problem expiremacro("6/6/16") | stats count by host, alertlifetime
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-09-2016 11:33 AM

Looks like you're anyways hard-coding the date in the search, so I don't see any use of macro as such. My suggestion many not look so clean like your macro implementation, but should do the task. Try something like this

 tag=java tag=problem [| gentimes start=-1 | eval search=if(now()>=strptime("2/16/16","%m/%d/%y"),"1=2",1=1) | table search] 
| stats count by host
| eval Comment=[| gentimes start=-1 | eval DayDiff=abs(round((now()-strptime("2/16/16","%m/%d/%y"))/86400)) | eval search=if(DayDiff<=30,"Alert Expiring in ".tostring(DayDiff)." days","All Good") | table search | eval search="\"".search."\""]

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-09-2016 11:33 AM

Looks like you're anyways hard-coding the date in the search, so I don't see any use of macro as such. My suggestion many not look so clean like your macro implementation, but should do the task. Try something like this

 tag=java tag=problem [| gentimes start=-1 | eval search=if(now()>=strptime("2/16/16","%m/%d/%y"),"1=2",1=1) | table search] 
| stats count by host
| eval Comment=[| gentimes start=-1 | eval DayDiff=abs(round((now()-strptime("2/16/16","%m/%d/%y"))/86400)) | eval search=if(DayDiff<=30,"Alert Expiring in ".tostring(DayDiff)." days","All Good") | table search | eval search="\"".search."\""]
Reply
Solved! Jump to solution

marcospmr
Explorer
‎04-25-2016 06:48 AM

I'm trying this on 6.4, but it's not working. It's not accepting 1=1 as a argument. Any ideas?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-25-2016 09:59 AM

Any specific error you're getting?

0 Karma
Reply
Solved! Jump to solution

marcospmr
Explorer
‎04-25-2016 10:09 AM

The count of events is getting 0 results.

For troubleshooting purposes, i've tried to run the search like this:

index=* [| gentimes start=-1 | eval search=if(now()>=strptime("05/30/16","%m/%d/%y"),"1=2","1=1") | table search]

The result is: "No results found."

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-25-2016 11:33 AM

Try using field name in subsearch as "query" instead of "search".

0 Karma
Reply
Solved! Jump to solution

sk314
Builder
‎02-09-2016 04:43 PM

what sorcery is this? 🙂

Reply
Solved! Jump to solution

daniel333
Builder
‎02-10-2016 06:37 AM

Wow! I have 0 idea what is going on in that search. But I'll give it a shot tonight. Thanks for getting back to me.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-10-2016 07:12 AM

Ok.. so let's make that 0 to some positive number..

[| gentimes start=-1 | eval search=if(now()>=strptime("2/16/16","%m/%d/%y"),"1=2",1=1) | table search]

The first subsearch (above) compares the current time with cut-off date (2/16/16 here) and returns a string (that's why I used the field name as search so it's value is returned) with 1=2 (current date is after your cut-off date, search will not run) OR 1=1 (just the opposite).

[| gentimes start=-1 | eval DayDiff=abs(round((now()-strptime("2/16/16","%m/%d/%y"))/86400)) | eval search=if(DayDiff<=30,"Alert Expiring in ".tostring(DayDiff)." days","All Good") | table search | eval search="\"".search."\""]

The second subsearch again returns a string "All good" if there are more than 30 days till cut-off date OR alert expiring message with no of days otherwise. (since we set a value of field Comment here, it should be enclosed within double quotes)

Reply
Solved! Jump to solution

joxley
Path Finder
‎04-25-2016 04:33 AM

Returning 1=2 into the main search to stop it from running is a really good trick. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...