Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Facing issue with my Serach

Amit79
Loves-to-Learn Everything
‎03-20-2024 06:50 AM

Hello All,

Below is my alert script, and I dont want to have any alerts during night 11:50 to 00:25 midnight, however I am getting them and its triggering alert to the support team. this is the daily restart window for interfaces and no need of alerts during this time.

index=XXX sourcetype=XXX  punct="--_::.,_=\"\""
| rex field=_raw "\d*-\d*-\d*\s(?<hour>\d*:\d*):\d*\S\d*\S"
| search hour!=23:50
| search hour!=00:15
| table _time SITE

Appreciate help on this.

 

Below is the sample event

2024-03-20 06:32:08.046, SITE="UU3"
Tags (1)
0 Karma
Reply

sjringo
Contributor
‎03-20-2024 05:59 PM

Find out what the current time is then compare to you window times:

| eval timeNow = strftime(now(), "%H%M")

| where (timeNow < 2350 AND timeNow > 0015)   ```Outside of main. window```

 

0 Karma
Reply

Amit79
Loves-to-Learn Everything
‎03-20-2024 06:53 AM

correction : no need of alerts during 23:50 to 00:15

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...