Solved: Is there a way we can exclude weekends from alerts...

bsaujla131984 · ‎03-21-2020

Is there a way we can exclude weekends from alerts?

I have not been able to find cron expression.

woodcock · ‎03-21-2020

you should have been able to find the cron with ease which is 1-5 in the last field:
https://docs.splunk.com/Documentation/Splunk/latest/Alert/CronExpressions
Perhaps you cannot find where to enter the cron?
Click on the Schedule setting and the last value should be Run on Cron Schedule which when selected will add a new Cron Expression setting to the dialog.

View solution in original post

woodcock · ‎03-21-2020

you should have been able to find the cron with ease which is 1-5 in the last field:
https://docs.splunk.com/Documentation/Splunk/latest/Alert/CronExpressions
Perhaps you cannot find where to enter the cron?
Click on the Schedule setting and the last value should be Run on Cron Schedule which when selected will add a new Cron Expression setting to the dialog.

bsaujla131984 · ‎03-21-2020

Thanks Woodcock.

gcusello · ‎03-21-2020

Hi @bsaujla131984,
you have to ways to do this:

modify cron, e.g. an alert every hour: 0 * * * 1-5
modify search excluding sunday and saturday: index=your_index NOT (date_wday=saturday OR date_wday=sunday)

If, in addition, you want to exclude also holydays, you have to create a lookup containing all the dates in the year flagging holidays with a code and use it for the exclusions.

Ciao.
Giuseppe

woodcock · ‎03-21-2020

Never use the "free" date_* fields; if you need them, calculate your own (which will show you that the "free" ones are not what you think they are). They are pre-TZ-adjustment artifacts meant for debugging timestamping problems, NOT for general use.

Is there a way we can exclude weekends from alerts?

cron

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!