Splunk Enterprise

how to suppress alerts during holidays

Vani_26
Path Finder

original query:
index=splunk-index   |where  message="start"  |where NOT app IN("ddm", "wwe", "tygmk", "ujhy")
|eval day= strftime(_time, "%A")
|where _time >= relative_time(_time,  "@d+4h") AND _time <= relative_time(_time, "@d+14h")
|where NOT day IN("Tuesday", "Wednesday", "Thursday")

To suppress my alert, i created a lookup file and added the alert name and holidays dates as shown below:

AlertHolidays_Date
App Relative Logs Data8/12/2023
App Relative Logs Data8/13/2023
App Relative Logs Data8/14/2023
App Relative Logs Data

8/18/2023

 

Query with inputlookup holiday list:


|inputlook HolidayList.csv
|where like(Alert, "App Relative Logs Data") AND Holidays_Date=strftime(now(), "%m/%d/%y")
|stats count
|eval noholdy=case(count=1, null(), true(), 1)
|search  noholdy=1
|fields noholdy
|appendcols
[search index=splunk-index   |where  message="start"  |where NOT app IN("ddm", "wwe", "tygmk", "ujhy")
|eval day= strftime(_time, "%A")
|where _time >= relative_time(_time,  "@d+4h") AND _time <= relative_time(_time, "@d+14h")
|where NOT day IN("Tuesday", "Wednesday", "Thursday")]


When i used this query i am still receiving alert on the dates mentioned in the .csv file. But i don't want to receive  the alerts.
is there something wrong in my query, please help 

Labels (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

When using a lookup, it's normal to just use that as a lookup rather than a data source using inputlook which you then have to join with your other data set as you are doing with your appendcols. If this is your base search for data

index=splunk-index   
| where  message="start"  
| where NOT app IN("ddm", "wwe", "tygmk", "ujhy")
|eval day= strftime(_time, "%A")
|where _time >= relative_time(_time,  "@d+4h") AND _time <= relative_time(_time, "@d+14h")
|where NOT day IN("Tuesday", "Wednesday", "Thursday")

 you just need to add the following to lookup the 

| eval Event_Date=strftime(_time, "%m/%d/%Y")
| lookup HolidayList.csv Holidays_Date as Event_Date OUTPUT Alert
| where isnull(Alert) OR Alert!="App Relative Logs Data"

I would also suggest you change your initial search to move the static search criteria in the where clause to the search and do the strftime just before it's needed, i.e.

index=splunk-index message="start" NOT app IN("ddm", "wwe", "tygmk", "ujhy")
| where _time >= relative_time(_time,  "@d+4h") AND _time <= relative_time(_time, "@d+14h")
| eval day=strftime(_time, "%A")
| where NOT day IN("Tuesday", "Wednesday", "Thursday")

 

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@Vani_26 - Try this

[search index=splunk-index | where  message="start"  |where NOT app IN("ddm", "wwe", "tygmk", "ujhy")

|eval day= strftime(_time, "%m/%d/%y")
| search NOT [|inputlook HolidayList.csv | where like(Alert, "App Relative Logs Data") | rename Holidays_date as day | fields day | table day]

 

Just to make sure, this will not suppress the alert on the holiday but rather suppress the alert for the data that is timestamped on the holiday. There is a minor difference.

 

I hope this helps!!! Kindly upvote if it does!!!

0 Karma

Vani_26
Path Finder

Hi @bowesmana , i tried the suggested query buts its not working.

Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Can you post the query and show what the results were?

0 Karma
Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...