Splunk Enterprise

how to suppress alerts during holidays

Vani_26
Path Finder

original query:
index=splunk-index   |where  message="start"  |where NOT app IN("ddm", "wwe", "tygmk", "ujhy")
|eval day= strftime(_time, "%A")
|where _time >= relative_time(_time,  "@d+4h") AND _time <= relative_time(_time, "@d+14h")
|where NOT day IN("Tuesday", "Wednesday", "Thursday")

To suppress my alert, i created a lookup file and added the alert name and holidays dates as shown below:

AlertHolidays_Date
App Relative Logs Data8/12/2023
App Relative Logs Data8/13/2023
App Relative Logs Data8/14/2023
App Relative Logs Data

8/18/2023

 

Query with inputlookup holiday list:


|inputlook HolidayList.csv
|where like(Alert, "App Relative Logs Data") AND Holidays_Date=strftime(now(), "%m/%d/%y")
|stats count
|eval noholdy=case(count=1, null(), true(), 1)
|search  noholdy=1
|fields noholdy
|appendcols
[search index=splunk-index   |where  message="start"  |where NOT app IN("ddm", "wwe", "tygmk", "ujhy")
|eval day= strftime(_time, "%A")
|where _time >= relative_time(_time,  "@d+4h") AND _time <= relative_time(_time, "@d+14h")
|where NOT day IN("Tuesday", "Wednesday", "Thursday")]


When i used this query i am still receiving alert on the dates mentioned in the .csv file. But i don't want to receive  the alerts.
is there something wrong in my query, please help 

Labels (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

When using a lookup, it's normal to just use that as a lookup rather than a data source using inputlook which you then have to join with your other data set as you are doing with your appendcols. If this is your base search for data

index=splunk-index   
| where  message="start"  
| where NOT app IN("ddm", "wwe", "tygmk", "ujhy")
|eval day= strftime(_time, "%A")
|where _time >= relative_time(_time,  "@d+4h") AND _time <= relative_time(_time, "@d+14h")
|where NOT day IN("Tuesday", "Wednesday", "Thursday")

 you just need to add the following to lookup the 

| eval Event_Date=strftime(_time, "%m/%d/%Y")
| lookup HolidayList.csv Holidays_Date as Event_Date OUTPUT Alert
| where isnull(Alert) OR Alert!="App Relative Logs Data"

I would also suggest you change your initial search to move the static search criteria in the where clause to the search and do the strftime just before it's needed, i.e.

index=splunk-index message="start" NOT app IN("ddm", "wwe", "tygmk", "ujhy")
| where _time >= relative_time(_time,  "@d+4h") AND _time <= relative_time(_time, "@d+14h")
| eval day=strftime(_time, "%A")
| where NOT day IN("Tuesday", "Wednesday", "Thursday")

 

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@Vani_26 - Try this

[search index=splunk-index | where  message="start"  |where NOT app IN("ddm", "wwe", "tygmk", "ujhy")

|eval day= strftime(_time, "%m/%d/%y")
| search NOT [|inputlook HolidayList.csv | where like(Alert, "App Relative Logs Data") | rename Holidays_date as day | fields day | table day]

 

Just to make sure, this will not suppress the alert on the holiday but rather suppress the alert for the data that is timestamped on the holiday. There is a minor difference.

 

I hope this helps!!! Kindly upvote if it does!!!

0 Karma

Vani_26
Path Finder

Hi @bowesmana , i tried the suggested query buts its not working.

Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Can you post the query and show what the results were?

0 Karma
Get Updates on the Splunk Community!

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...

Splunk With AppDynamics - Meet the New IT (And Engineering) Couple

Wednesday, November 20, 2024  |  10AM PT / 1PM ET Register Now Join us in this session to learn all about ...