Alerting

date diff until

DaveBunn
Path Finder

I have an alert which detects when a log feed has failed

The team the alert goes to have asked that I allow them to suppress the alert.

I have now created a mailto link within the alert email that sends and email with a specifically crafted email subject and body that is detected in all future alerts to suppress future alerts for 12hrs.
a simple math calculation generates the 12hrs, the epoch timestamp is in the subject header, the alert spl looks at the subject and either suppresses the alert or not.

This works perfectly - the technical team have now asked that I vary the suppression as follows

If the alert came in before 10AM the suppression remains 12 hours
If the alert came in after 10AM then the suppression time would be "until 10AM the following day".

So - how do you calculate a time stamp to 10AM the following day.
It must be simple but my mind has lost it right now.
Something like is current hour >10AM timestamp=tomorrow:10Hrs

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

DaveBunn
Path Finder

Thanks Rich - logical when you think about it.

Works a treat - thank you

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Use the relative_time function to calculate time offsets.

| eval new_time = relative_time(now(), "+1d@d+10h")

The format string breaks down as follows:

"+1" : this time tomorrow
"@d": round off the time to 0:00
"+10h": add ten hours

 

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...