original query:
index=splunk-index |where message="start" |where NOT app IN("ddm", "wwe", "tygmk", "ujhy")
|eval day= strftime(_time, "%A")
|where _time >= relative_time(_time, "@d+4h") AND _time <= relative_time(_time, "@d+14h")
|where NOT day IN("Tuesday", "Wednesday", "Thursday")
To suppress my alert, i created a lookup file and added the alert name and holidays dates as shown below:
Alert | Holidays_Date |
App Relative Logs Data | 8/12/2023 |
App Relative Logs Data | 8/13/2023 |
App Relative Logs Data | 8/14/2023 |
App Relative Logs Data | 8/18/2023 |
Query with inputlookup holiday list:
|inputlook HolidayList.csv
|where like(Alert, "App Relative Logs Data") AND Holidays_Date=strftime(now(), "%m/%d/%y")
|stats count
|eval noholdy=case(count=1, null(), true(), 1)
|search noholdy=1
|fields noholdy
|appendcols
[search index=splunk-index |where message="start" |where NOT app IN("ddm", "wwe", "tygmk", "ujhy")
|eval day= strftime(_time, "%A")
|where _time >= relative_time(_time, "@d+4h") AND _time <= relative_time(_time, "@d+14h")
|where NOT day IN("Tuesday", "Wednesday", "Thursday")]
When i used this query i am still receiving alert on the dates mentioned in the .csv file. But i don't want to receive the alerts.
is there something wrong in my query, please help
When using a lookup, it's normal to just use that as a lookup rather than a data source using inputlook which you then have to join with your other data set as you are doing with your appendcols. If this is your base search for data
index=splunk-index
| where message="start"
| where NOT app IN("ddm", "wwe", "tygmk", "ujhy")
|eval day= strftime(_time, "%A")
|where _time >= relative_time(_time, "@d+4h") AND _time <= relative_time(_time, "@d+14h")
|where NOT day IN("Tuesday", "Wednesday", "Thursday")
you just need to add the following to lookup the
| eval Event_Date=strftime(_time, "%m/%d/%Y")
| lookup HolidayList.csv Holidays_Date as Event_Date OUTPUT Alert
| where isnull(Alert) OR Alert!="App Relative Logs Data"
I would also suggest you change your initial search to move the static search criteria in the where clause to the search and do the strftime just before it's needed, i.e.
index=splunk-index message="start" NOT app IN("ddm", "wwe", "tygmk", "ujhy")
| where _time >= relative_time(_time, "@d+4h") AND _time <= relative_time(_time, "@d+14h")
| eval day=strftime(_time, "%A")
| where NOT day IN("Tuesday", "Wednesday", "Thursday")
@Vani_26 - Try this
[search index=splunk-index | where message="start" |where NOT app IN("ddm", "wwe", "tygmk", "ujhy")
|eval day= strftime(_time, "%m/%d/%y")
| search NOT [|inputlook HolidayList.csv | where like(Alert, "App Relative Logs Data") | rename Holidays_date as day | fields day | table day]
Just to make sure, this will not suppress the alert on the holiday but rather suppress the alert for the data that is timestamped on the holiday. There is a minor difference.
I hope this helps!!! Kindly upvote if it does!!!
Can you post the query and show what the results were?