Alerting

How to turn off an alert for 30 minutes on a given day?

cj039165
New Member

Hello -

I have an alert that I want to 'suppress' / 'turn off' for 30 min a week. Every Sunday a connection is dropped from 2:45pm to 3:15pm. The drop is part of 'normal' Sunday work that occurs. We don't need the 'false positives' hitting our on-call. Is there a way to stop alerting for just 30 min on a given day?

Thanks,

Carl

0 Karma
1 Solution

SierraX
Communicator

Hello,
I would embed it in a search:

alt text

alt text

With a search

 | search NOT dactivate=*

Kind Regards
SierraX

View solution in original post

SierraX
Communicator

Hello,
I would embed it in a search:

alt text

alt text

With a search

 | search NOT dactivate=*

Kind Regards
SierraX

cj039165
New Member

Hello -

Got back to working on this. For some reason this is still alerting between 14:45 and 16:00 on Sundays. Not sure what I'm missing. Thanks.

index=hdx_was source="/hdx1/was70-32/AppServer/profiles/AppSrv01/logs/PRD3_XF*/SystemOut.log" "A connection failed but has been re-established" | eval wday=strftime(now(),"%a"),homi=strftime(now(),"%H%M"),dactivate=if(wday="Sun" AND homi>=1445 AND homi<=1600,"off",NULL)

0 Karma

cj039165
New Member

Thanks for the help.

0 Karma

cj039165
New Member

Thanks for the response SierraX. Here is the search I'm running. New to Splunk, I'm getting an error message "Error in 'eval' command: The expression is malformed. Expected"

index=hdx_was source="/hdx1/was70-32/AppServer/profiles/AppSrv01/logs/PRD3_XF*/SystemOut.log" "A connection failed but has been re-established" |eval wday=strftime(now(),"%a"),homi=strftime(now(),"%H%M"),dactivate=if(wday"Sun" AND homi>=1445 AND homi<=1530,"off",NULL)

0 Karma

SierraX
Communicator

Sorry for the late response...
when this is a 1to1 copy of the search, you forgot a = (equal) between wday and "Sun"

0 Karma

jkat54
SplunkTrust
SplunkTrust

You'd have to write a cron type schedule for that or possibly more than one cron schedule. All these assume you run every 15 minutes.

Something like

 */15 * * * 1,2,3,4,5

And another for Sunday normal hours.

 */15 0,1,4-23 * * 0

Then one for 2-230 and 315-4 on Sunday

 0,15,30 2 * * 0
 15,30,45 3 * * 0

But use the same search for all... Name them differently, etc.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...