Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to stop the alerts on maintenance window on a specific day?

yamini26
New Member
‎08-26-2017 04:21 AM

We have a monthly release on every month third week Saturday from 1:30 AM to 7 AM and also have regular Sunday maintenance window every week from 2 AM to 5 AM.I want to stop the alerts to be triggering during this two maintenance window.Could someone help me on this.

Tags (1)
0 Karma
Reply

niketn
Legend
‎08-28-2017 04:22 AM

@yamini26, while events created Sunday with specific hours can be filtered in the base search using date_wday and date_hour, third saturday of month can not be identified in the base search. So your query might look like the following:

<YourBaseSearch> ((date_wday="monday") OR (date_wday="tuesday") OR (date_wday="wednesday") OR (date_wday="thursday") OR (date_wday="friday") OR (date_wday="saturday") OR (date_wday="sunday") AND (date_hour<2 OR date_hour>5))
| eval weekOfMonth=floor(date_mday/7)+1
| search (date_wday!="saturday") OR (date_wday="saturday" AND weekOfMonth!=3) OR (date_wday="saturday" AND weekOfMonth=3 AND ((date_hour<1 AND date_minute<30) OR date_hour>7)
| <YourRemainingSearch>

Another approach could be to have deployment/maintenance window (Date or DateTime) in csv, which you should have at Enterprise so that you can filter blackout time in base search using inputlookup.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

stufty
Path Finder
‎10-22-2018 08:05 AM

the eval expression in line 2 abvoe:
| eval weekOfMonth=floor(date_mday/7)+1
should be
| eval date_weekOfMonth=floor((date_mday-1)/7)+1

otherwise the 21st would show as being on the 4th week, for instance.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-27-2017 11:54 AM

Hi yamini26,
you could insert in your search an exclusion condition:

your_search NOT (date_wday=sunday date_hour>1 date_hour<6)

Bye.
Giuseppe

0 Karma
Reply

yamini26
New Member
‎08-28-2017 02:34 AM

Can you tell me how to stop the alerts on every third week Saturday and every week Sunday.Timings are already mentioned in my question.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-28-2017 03:27 AM

Hi yamini26,
Sorry I forgot the other condition.
you could insert in your search an exclusion condition:

 your_search NOT ((date_wday=sunday OR (date_wday=saturday date_mday>15 date_mday<22)) date_hour>1 date_hour<6)

Bye.
Giuseppe

0 Karma
Reply

aakwah
Builder
‎08-26-2017 02:18 PM

have a look to this answer, hope it helps

0 Karma
Reply
Get Updates on the Splunk Community!

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...