We have a monthly release on every month third week Saturday from 1:30 AM to 7 AM and also have regular Sunday maintenance window every week from 2 AM to 5 AM.I want to stop the alerts to be triggering during this two maintenance window.Could someone help me on this.
@yamini26, while events created Sunday with specific hours can be filtered in the base search using date_wday and date_hour, third saturday of month can not be identified in the base search. So your query might look like the following:
<YourBaseSearch> ((date_wday="monday") OR (date_wday="tuesday") OR (date_wday="wednesday") OR (date_wday="thursday") OR (date_wday="friday") OR (date_wday="saturday") OR (date_wday="sunday") AND (date_hour<2 OR date_hour>5))
| eval weekOfMonth=floor(date_mday/7)+1
| search (date_wday!="saturday") OR (date_wday="saturday" AND weekOfMonth!=3) OR (date_wday="saturday" AND weekOfMonth=3 AND ((date_hour<1 AND date_minute<30) OR date_hour>7)
| <YourRemainingSearch>
Another approach could be to have deployment/maintenance window (Date or DateTime) in csv, which you should have at Enterprise so that you can filter blackout time in base search using inputlookup.
the eval expression in line 2 abvoe:
| eval weekOfMonth=floor(date_mday/7)+1
should be
| eval date_weekOfMonth=floor((date_mday-1)/7)+1
otherwise the 21st would show as being on the 4th week, for instance.
Hi yamini26,
you could insert in your search an exclusion condition:
your_search NOT (date_wday=sunday date_hour>1 date_hour<6)
Bye.
Giuseppe
Can you tell me how to stop the alerts on every third week Saturday and every week Sunday.Timings are already mentioned in my question.
Hi yamini26,
Sorry I forgot the other condition.
you could insert in your search an exclusion condition:
your_search NOT ((date_wday=sunday OR (date_wday=saturday date_mday>15 date_mday<22)) date_hour>1 date_hour<6)
Bye.
Giuseppe
have a look to this answer, hope it helps