All Apps and Add-ons

Schedule Recurring Suppression using Alert Manager

KARANMALHOTRA
Path Finder

Hello,

I am using Alert Manager to handle all alerts being created in my Splunk instance. And I am able to create Suppression Rules for a specific time slot using the Suppression menu provided in the app.

Current Suppression looks like:
Match Type ALL
$result.host$ is MYSERVER123
_time > 1518867000
_time < 1518944400

I have some servers and applications which only need to be monitored from 8am to 10pm on a daily basis as they are powered off outside office hours. With the current implementation, I have to set up a single suppression rule for each day.

Is there a way to provide this schedule in Splunk/Alert Manager so that alerts are suppressed in a specific duration.

Splunk v7.0.0
Alert Manager v2.2.2

Thanks!

0 Karma

KARANMALHOTRA
Path Finder

We could not find a way to do it via Alert Manager. So we created an external script to resolve the alerts after creation.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!