Archive

Disable splunk alert from 11PM to 2AM everyday AND from 3AM to 6AM Sunday?

New Member

I want to stop getting alerted for specific events that happen which may be increased during maintenance times ( as I don't want to neglect only those alerts, , and I want to avoid them spamming my inbox)
(everyday 11PM-2AM) AND (Sunday 3AM-6AM)

Any advice on this?

Tags (1)
0 Karma
1 Solution

Legend

@HKLM One of the options would be use two separate crons (Following are once per hour, but you can increase frequency as per your needs):
1) Mon- Sat which runs from 02:00 AM to 23:00 PM: 0 2-23 * * 1-6
2) Sun from 00:00 AM to 03:00 AM and 06:00 AM to 23:00 PM: 0 0-3,6-23 * * 7

Other option would be to handle in your query based on default extracted time fieldsdate_wday and date_hour so that they do not return any events during blackout maintenance window: https://answers.splunk.com/answers/24824/can-i-set-a-blackout-period-for-a-scheduled-search-during-w...

You can definitely combine both approaches as well. So that Alert does not trigger in maintenance window and query also takes care of the same.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

Legend

@HKLM One of the options would be use two separate crons (Following are once per hour, but you can increase frequency as per your needs):
1) Mon- Sat which runs from 02:00 AM to 23:00 PM: 0 2-23 * * 1-6
2) Sun from 00:00 AM to 03:00 AM and 06:00 AM to 23:00 PM: 0 0-3,6-23 * * 7

Other option would be to handle in your query based on default extracted time fieldsdate_wday and date_hour so that they do not return any events during blackout maintenance window: https://answers.splunk.com/answers/24824/can-i-set-a-blackout-period-for-a-scheduled-search-during-w...

You can definitely combine both approaches as well. So that Alert does not trigger in maintenance window and query also takes care of the same.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

New Member

hi @niketnilay
thanks for your comment.
Can you clarify the 2nd option. I tried to read through the link you provided, it seems a different issue than mine, I have a query like this;
index="os" sourcetype=DBCon source IN ("os_netlogs") no endpoint listening at http://cic.cb.com/PartyLS_HTTPRout/port

0 Karma

New Member

by the way the 2nd cron expression should be 0 0-3,6-23 * * 0

as Sunday is 0 not 7.

0 Karma