Can anyone please let me know how to put a list of hosts under maintenance so that Splunk doesn't trigger alerts for those hosts alone where ever it is used in Alerts.
What you have now is the general method for eliminating hosts under maintenance from a query. Use this method in any search that needs to ignore hosts being maintained.
If your problem is resolved, then please click the "Accept as Solution" button to help future readers.
In general, you could create a lookup file with the names of the hosts under maintenance. Your alert would need to check the lookup before issuing an alert. The exact method for doing so depends on your alert query, but something like this might work
<base search> NOT [ | inputlookup maintenanceHosts.csv | format ]
| ...
Thanks for your reply
I tried something below and mentioned only one hosts in the csv file but still i found the events for that host as well.
Kindly let me know is there anything i need to modify/update in this query.
host=host1* OR host=host2* OR host=host3* NOT [ | inputlookup DecomMaint.csv | format ]
Use of parentheses may help. Also, the field name returned from the subsearch must match a field name in the main search (or use rename to make them match).
(host=host1* OR host=host2* OR host=host3*) NOT [ | inputlookup DecomMaint.csv | rename foo as host | fields host | format ]
@richgalloway - Apologize for the delay , i tried with 3 hosts in the query and added only one host in the CSV file but still it's returning for that host as well. Kindly help
@richgalloway My CSV file has only one host with field called "host", i tried with this query also but returned the events for the host from the csv file also. Kindly suggest
@richgalloway - It's my BAD, in the lookup table "Destination filename" i updated without file extension ".csv" after typing file name with it's extension. It worked now successfully
Kindly let me know for below clarifications i needed and i can try testing as well
1. Do i need to update this search in the queries for all the alerts where the hosts is in usage?
NOT [ | inputlookup DecomMaint.csv | fields host | format ]
OR
2. is there any way saving this maintenance search as an informational alert and look for all the alerts available in that Splunk and have this maintenance search query effectively run using cron expression setting for a period to not to show the hosts only during that time?
For Ex:- */10 0-1 * * * - setting this will make sure the maintenance query working only during 12 AM - 1 AM EST and results not returning the hosts which i mention in the Lookup file for that time 12 AM - 1 AM.
What you have now is the general method for eliminating hosts under maintenance from a query. Use this method in any search that needs to ignore hosts being maintained.
If your problem is resolved, then please click the "Accept as Solution" button to help future readers.