Reporting

Can I tag time as scheduled maintenance to exclude events from searches?

jkeglovitz
Explorer

I would like to tag various time periods as "scheduled maintenance," so that my application error searches ignore events during these periods. The maintenance periods are irregular and of different durations. If I could transform these periods into custom fields, that would be ideal, I think. Then I could do something like

search "error" scheduled_maintenance=0
| stats etc

Does anyone have a suggestion on how I could achieve this goal?

1 Solution

dwaddle
SplunkTrust
SplunkTrust

I don't know of such support directly. I think I would probably approach it using a dynamic lookup. Your dynamic lookup script could, based on combinations of _time and host, output a field for scheduled_maintenance which you'd then filter on.

A good place to start might be

http://docs.splunk.com/Documentation/Splunk/4.2.3/Knowledge/Addfieldsfromexternaldatasources#Set_up_...

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

I don't know of such support directly. I think I would probably approach it using a dynamic lookup. Your dynamic lookup script could, based on combinations of _time and host, output a field for scheduled_maintenance which you'd then filter on.

A good place to start might be

http://docs.splunk.com/Documentation/Splunk/4.2.3/Knowledge/Addfieldsfromexternaldatasources#Set_up_...

*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>