Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use the check_alerting_schedule in Alert Schedule for Splunk for multiple schedule conditions?

mudragadak
New Member
‎05-03-2018 12:47 PM

Question on how to use the check_alerting_schedule for multiple schedule conditions.

I've setup
1. schedules.csv for different pools of servers that undergo maintenance (App1_Maintenance, App2_Maintenance, App1_Server_Maintenance, App2_Server_Maintenance)
2. schedule_hours.csv for 24/7 working of these applications
3. schedule_maintenance_windows.csv for App1_Maintenance between 09:00AM to 12:00PM. App1_Server_Maintenance between 12:00PM and 04:00PM. The following day, I have a DataCenter_Maintenance between 04:00AM and 06:00AM

Now, I can setup all application alerts with a check_alerting_schedule(App1_Maintenance) and all server alerts with a check_alerting_schedule(App1_Server_Maintenance).

But, logically, when my DataCenter or App1's server is under maintenance, the alert schedule should be checked against all App1_Maintenance, App1_Server_Maintenance and DataCenter_Maintenance schedules to silence the false alerts.

Is there a way that I can use multiple schedules to silence or enable alerts?

0 Karma
Reply

somesoni2
Revered Legend
‎05-03-2018 01:52 PM

Does schedule_id is same for all lookup files? (it's a primary key which should be same for all lookups)

0 Karma
Reply

mudragadak
New Member
‎05-04-2018 11:55 AM

nope..the schedule_id is the one that goes in as argument for check_alerting_schedule above.

0 Karma
Reply

somesoni2
Revered Legend
‎05-04-2018 12:34 PM

I'm reading the details on the app "Alert Schedule for Splunk" at below link and, in screenshot 3, it states that all lookup files should share same schedule_id value for all exclusion lookups.

https://splunkbase.splunk.com/app/3563/#/overview

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...