Alerting
Highlighted

Is there a way we can exclude weekends from alerts?

Path Finder

Is there a way we can exclude weekends from alerts?

I have not been able to find cron expression.

Labels (1)
0 Karma
Highlighted

Re: Excluding weekends in alerts..

Legend

Hi @bsaujla131984,
you have to ways to do this:

  • modify cron, e.g. an alert every hour: 0 * * * 1-5
  • modify search excluding sunday and saturday: index=your_index NOT (date_wday=saturday OR date_wday=sunday)

If, in addition, you want to exclude also holydays, you have to create a lookup containing all the dates in the year flagging holidays with a code and use it for the exclusions.

Ciao.
Giuseppe

0 Karma
Highlighted

Re: Excluding weekends in alerts..

Esteemed Legend

Never use the "free" date_* fields; if you need them, calculate your own (which will show you that the "free" ones are not what you think they are). They are pre-TZ-adjustment artifacts meant for debugging timestamping problems, NOT for general use.

0 Karma
Highlighted

Re: Excluding weekends in alerts..

Esteemed Legend

you should have been able to find the cron with ease which is 1-5 in the last field:
https://docs.splunk.com/Documentation/Splunk/latest/Alert/CronExpressions
Perhaps you cannot find where to enter the cron?
Click on the Schedule setting and the last value should be Run on Cron Schedule which when selected will add a new Cron Expression setting to the dialog.

View solution in original post

0 Karma
Highlighted

Re: Excluding weekends in alerts..

Path Finder

Thanks Woodcock.

0 Karma