Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to suppress alerts during holidays

Ash1
Communicator
‎10-04-2023 08:12 AM

I have an alert but I want to suppress it during holidays

How can I do that????

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-06-2023 05:37 AM

See if this helps.  It assumes the holidays are in a file called 'holidays.csv'.  The lookup contains (at least) two columns called "Begins" and "Ends", which are timestamps in the format mon/day/year hour:min.

index=error-logs status=401 NOT [| inputlookup holidays.csv 
``` Build a search string to exclude dates in the lookup file ```
  | eval search="_time>=" . strptime(Begins,"%m/%d/%Y %H:%M") . " _time<=" . strptime(Ends,"%m/%d/%Y %H:%M") 
  | fields search 
  | format 
``` Remove quotes from the search string ```
  | eval search=replace(search, "\\\"", "")]
| stats count

This tells Splunk to search the error-logs index for events with status 401 and timestamps (_time field) not given in holidays.csv.

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-04-2023 08:54 AM

Splunk doesn't have a built-in feature to do that because Bad Things happen even on holidays.

You can either modify the alert SPL to not trigger on certain days or disable them on those days.  The Holidays app (https://splunkbase.splunk.com/app/4853) may help with that.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Ash1
Communicator
‎10-04-2023 09:11 AM

Hi @richgalloway 

Thank you for the inputs

I want to go with the modify my alert query by using look up file 

Like I want to add the holidays dates in the Excel sheet and will upload to splunk

But I am not understanding how to frame a query with that now, below is my query

Index=error-logs  status=401

|Stats count 

 

Can you please help 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-06-2023 05:37 AM

See if this helps.  It assumes the holidays are in a file called 'holidays.csv'.  The lookup contains (at least) two columns called "Begins" and "Ends", which are timestamps in the format mon/day/year hour:min.

index=error-logs status=401 NOT [| inputlookup holidays.csv 
``` Build a search string to exclude dates in the lookup file ```
  | eval search="_time>=" . strptime(Begins,"%m/%d/%Y %H:%M") . " _time<=" . strptime(Ends,"%m/%d/%Y %H:%M") 
  | fields search 
  | format 
``` Remove quotes from the search string ```
  | eval search=replace(search, "\\\"", "")]
| stats count

This tells Splunk to search the error-logs index for events with status 401 and timestamps (_time field) not given in holidays.csv.

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...