Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to turn off an alert for 30 minutes on a given day?

cj039165
New Member
‎11-21-2016 09:13 AM

Hello -

I have an alert that I want to 'suppress' / 'turn off' for 30 min a week. Every Sunday a connection is dropped from 2:45pm to 3:15pm. The drop is part of 'normal' Sunday work that occurs. We don't need the 'false positives' hitting our on-call. Is there a way to stop alerting for just 30 min on a given day?

Thanks,

Carl

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

SierraX
Communicator
‎11-21-2016 10:12 AM

Hello,
I would embed it in a search:

alt text

alt text

With a search

 | search NOT dactivate=*

Kind Regards
SierraX

View solution in original post

Preview file
1 KB
Preview file
1 KB
Reply
Solved! Jump to solution
Solution

SierraX
Communicator
‎11-21-2016 10:12 AM

Hello,
I would embed it in a search:

alt text

alt text

With a search

 | search NOT dactivate=*

Kind Regards
SierraX

Preview file
1 KB
Preview file
1 KB
Reply
Solved! Jump to solution

cj039165
New Member
‎12-19-2016 10:32 AM

Hello -

Got back to working on this. For some reason this is still alerting between 14:45 and 16:00 on Sundays. Not sure what I'm missing. Thanks.

index=hdx_was source="/hdx1/was70-32/AppServer/profiles/AppSrv01/logs/PRD3_XF*/SystemOut.log" "A connection failed but has been re-established" | eval wday=strftime(now(),"%a"),homi=strftime(now(),"%H%M"),dactivate=if(wday="Sun" AND homi>=1445 AND homi<=1600,"off",NULL)

0 Karma
Reply
Solved! Jump to solution

cj039165
New Member
‎11-22-2016 06:18 AM

Thanks for the help.

0 Karma
Reply
Solved! Jump to solution

cj039165
New Member
‎11-21-2016 11:10 AM

Thanks for the response SierraX. Here is the search I'm running. New to Splunk, I'm getting an error message "Error in 'eval' command: The expression is malformed. Expected"

index=hdx_was source="/hdx1/was70-32/AppServer/profiles/AppSrv01/logs/PRD3_XF*/SystemOut.log" "A connection failed but has been re-established" |eval wday=strftime(now(),"%a"),homi=strftime(now(),"%H%M"),dactivate=if(wday"Sun" AND homi>=1445 AND homi<=1530,"off",NULL)

0 Karma
Reply
Solved! Jump to solution

SierraX
Communicator
‎11-21-2016 01:00 PM

Sorry for the late response...
when this is a 1to1 copy of the search, you forgot a = (equal) between wday and "Sun"

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎11-21-2016 10:01 AM

You'd have to write a cron type schedule for that or possibly more than one cron schedule. All these assume you run every 15 minutes.

Something like 

 */15 * * * 1,2,3,4,5

And another for Sunday normal hours.

 */15 0,1,4-23 * * 0

Then one for 2-230 and 315-4 on Sunday 

 0,15,30 2 * * 0
 15,30,45 3 * * 0

But use the same search for all... Name them differently, etc.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...