Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to turn off an alert for 30 minutes on a given day?

cj039165
New Member
‎11-21-2016 09:13 AM

Hello -

I have an alert that I want to 'suppress' / 'turn off' for 30 min a week. Every Sunday a connection is dropped from 2:45pm to 3:15pm. The drop is part of 'normal' Sunday work that occurs. We don't need the 'false positives' hitting our on-call. Is there a way to stop alerting for just 30 min on a given day?

Thanks,

Carl

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

SierraX
Communicator
‎11-21-2016 10:12 AM

Hello,
I would embed it in a search:

alt text

alt text

With a search

 | search NOT dactivate=*

Kind Regards
SierraX

View solution in original post

Preview file
1 KB
Preview file
1 KB
Reply
Solved! Jump to solution
Solution

SierraX
Communicator
‎11-21-2016 10:12 AM

Hello,
I would embed it in a search:

alt text

alt text

With a search

 | search NOT dactivate=*

Kind Regards
SierraX

Preview file
1 KB
Preview file
1 KB
Reply
Solved! Jump to solution

cj039165
New Member
‎12-19-2016 10:32 AM

Hello -

Got back to working on this. For some reason this is still alerting between 14:45 and 16:00 on Sundays. Not sure what I'm missing. Thanks.

index=hdx_was source="/hdx1/was70-32/AppServer/profiles/AppSrv01/logs/PRD3_XF*/SystemOut.log" "A connection failed but has been re-established" | eval wday=strftime(now(),"%a"),homi=strftime(now(),"%H%M"),dactivate=if(wday="Sun" AND homi>=1445 AND homi<=1600,"off",NULL)

0 Karma
Reply
Solved! Jump to solution

cj039165
New Member
‎11-22-2016 06:18 AM

Thanks for the help.

0 Karma
Reply
Solved! Jump to solution

cj039165
New Member
‎11-21-2016 11:10 AM

Thanks for the response SierraX. Here is the search I'm running. New to Splunk, I'm getting an error message "Error in 'eval' command: The expression is malformed. Expected"

index=hdx_was source="/hdx1/was70-32/AppServer/profiles/AppSrv01/logs/PRD3_XF*/SystemOut.log" "A connection failed but has been re-established" |eval wday=strftime(now(),"%a"),homi=strftime(now(),"%H%M"),dactivate=if(wday"Sun" AND homi>=1445 AND homi<=1530,"off",NULL)

0 Karma
Reply
Solved! Jump to solution

SierraX
Communicator
‎11-21-2016 01:00 PM

Sorry for the late response...
when this is a 1to1 copy of the search, you forgot a = (equal) between wday and "Sun"

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎11-21-2016 10:01 AM

You'd have to write a cron type schedule for that or possibly more than one cron schedule. All these assume you run every 15 minutes.

Something like 

 */15 * * * 1,2,3,4,5

And another for Sunday normal hours.

 */15 0,1,4-23 * * 0

Then one for 2-230 and 315-4 on Sunday 

 0,15,30 2 * * 0
 15,30,45 3 * * 0

But use the same search for all... Name them differently, etc.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...