Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to stop the alerts on maintenance window on a specific day?

yamini26
New Member
‎08-26-2017 04:21 AM

We have a monthly release on every month third week Saturday from 1:30 AM to 7 AM and also have regular Sunday maintenance window every week from 2 AM to 5 AM.I want to stop the alerts to be triggering during this two maintenance window.Could someone help me on this.

Tags (1)
0 Karma
Reply

niketn
Legend
‎08-28-2017 04:22 AM

@yamini26, while events created Sunday with specific hours can be filtered in the base search using date_wday and date_hour, third saturday of month can not be identified in the base search. So your query might look like the following:

<YourBaseSearch> ((date_wday="monday") OR (date_wday="tuesday") OR (date_wday="wednesday") OR (date_wday="thursday") OR (date_wday="friday") OR (date_wday="saturday") OR (date_wday="sunday") AND (date_hour<2 OR date_hour>5))
| eval weekOfMonth=floor(date_mday/7)+1
| search (date_wday!="saturday") OR (date_wday="saturday" AND weekOfMonth!=3) OR (date_wday="saturday" AND weekOfMonth=3 AND ((date_hour<1 AND date_minute<30) OR date_hour>7)
| <YourRemainingSearch>

Another approach could be to have deployment/maintenance window (Date or DateTime) in csv, which you should have at Enterprise so that you can filter blackout time in base search using inputlookup.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

stufty
Path Finder
‎10-22-2018 08:05 AM

the eval expression in line 2 abvoe:
| eval weekOfMonth=floor(date_mday/7)+1
should be
| eval date_weekOfMonth=floor((date_mday-1)/7)+1

otherwise the 21st would show as being on the 4th week, for instance.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-27-2017 11:54 AM

Hi yamini26,
you could insert in your search an exclusion condition:

your_search NOT (date_wday=sunday date_hour>1 date_hour<6)

Bye.
Giuseppe

0 Karma
Reply

yamini26
New Member
‎08-28-2017 02:34 AM

Can you tell me how to stop the alerts on every third week Saturday and every week Sunday.Timings are already mentioned in my question.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-28-2017 03:27 AM

Hi yamini26,
Sorry I forgot the other condition.
you could insert in your search an exclusion condition:

 your_search NOT ((date_wday=sunday OR (date_wday=saturday date_mday>15 date_mday<22)) date_hour>1 date_hour<6)

Bye.
Giuseppe

0 Karma
Reply

aakwah
Builder
‎08-26-2017 02:18 PM

have a look to this answer, hope it helps

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...