Alerting

Putting a list of hosts under maintenance

sureshkumaar
Path Finder

Can anyone please let me know how to put a list of hosts under maintenance so that Splunk doesn't trigger alerts for those hosts alone where ever it is used in Alerts.

Labels (2)
Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

What you have now is the general method for eliminating hosts under maintenance from a query.  Use this method in any search that needs to ignore hosts being maintained.

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

In general, you could create a lookup file with the names of the hosts under maintenance.  Your alert would need to check the lookup before issuing an alert.  The exact method for doing so depends on your alert query, but something like this might work

<base search> NOT [ | inputlookup maintenanceHosts.csv | format ]
| ...

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

sureshkumaar
Path Finder

Hi @richgalloway 

Thanks for your reply

I tried something below and mentioned only one hosts in the csv file but still i found the events for that host as well.

Kindly let me know is there anything i need to modify/update in this query.

host=host1* OR host=host2* OR host=host3* NOT [ | inputlookup DecomMaint.csv | format ]

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Use of parentheses may help.  Also, the field name returned from the subsearch must match a field name in the main search (or use rename to make them match).

(host=host1* OR host=host2* OR host=host3*) NOT [ | inputlookup DecomMaint.csv | rename foo as host | fields host | format ]
---
If this reply helps you, Karma would be appreciated.
0 Karma

sureshkumaar
Path Finder

Maintenance.PNG

@richgalloway - Apologize for the delay , i tried with 3 hosts in the query and added only one host in the CSV file but still it's returning for that host as well. Kindly help 

0 Karma

richgalloway
SplunkTrust
SplunkTrust
Can you share your CSV file? Does it have a field called "foo"? If not, change "foo" to match the field name in the lookup file.
---
If this reply helps you, Karma would be appreciated.
0 Karma

sureshkumaar
Path Finder

Maintenance1.PNG@richgalloway My CSV file has only one host with field called "host", i tried with this query also but returned the events for the host from the csv file also. Kindly suggest

0 Karma

richgalloway
SplunkTrust
SplunkTrust
What results do you get when running the subsearch ("| inputlookup" through "format") by itself?
---
If this reply helps you, Karma would be appreciated.
0 Karma

sureshkumaar
Path Finder

Maintenance2.PNG

 

@richgalloway i tried the query "| inputlookup DecomMaint.csv | fields host | format"

0 Karma

richgalloway
SplunkTrust
SplunkTrust
Thank you. That output tells me there is no "host" field in the lookup file. Again I ask you to kindly share the lookup file (change host names, if necessary).
---
If this reply helps you, Karma would be appreciated.
0 Karma

sureshkumaar
Path Finder

Maintenance3.PNG

 

@richgalloway   - It's my BAD, in the lookup table "Destination filename" i updated without file extension ".csv" after typing file name with it's extension. It worked now successfully

Kindly let me know for below clarifications i needed and i can try testing as well

1. Do i need to update this search in the queries for all the alerts where the hosts is in usage?

NOT [ | inputlookup DecomMaint.csv | fields host | format ]

OR

2. is there any way saving this maintenance search as an informational alert and look for all the alerts available in that Splunk and have this maintenance search query effectively run using cron expression setting for a period to not to show the hosts only during that time?

For Ex:- */10 0-1 * * * - setting this will make sure the maintenance query working only during 12 AM - 1 AM EST and results not returning the hosts which i mention in the Lookup file for that time 12 AM - 1 AM.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What you have now is the general method for eliminating hosts under maintenance from a query.  Use this method in any search that needs to ignore hosts being maintained.

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...