Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Black out my splunk alert for particular period ?

karthi2809
Builder
‎03-14-2018 11:32 PM

How to Black out my splunk alert for particular period?

There are two different scenarios
firest alert:

1)16:30 ET Saturday to 00:30 ET Monday on all weekends --->black out time

index=Test_PROD source="common" LEGACY_SYSTEM_NAME=Test|rename GUID as CS_GUID| join type=outer CS_GUID [search source="errordetail" NOT [search index=Test_PROD sourcetype="Logging" SEVA+Test OR ACES OR NPI 0x00030001 |rename GUID as CS_GUID | table CS_GUID]] | stats count(eval(TRAN_TYPE="275")) as "T275Count" count(eval(ERROR_CODE="Y42R")) as Y42RCount by LEGACY_SYSTEM_NAME | eval Y42RPerc = Y42RCount*100/T275Count| where Y42RCount >5

Second alert:
00:00 to 08:00 ET on weekdays and 20:00 to 08:00 ET on weekends --->black out time

index=Test_PROD source="common" LEGACY_SYSTEM_NAME=Test|rename GUID as CS_GUID| join type=outer CS_GUID [search source="errordetail" NOT [search index=Test_PROD sourcetype="Logging" SEVA+Test OR ACES OR NPI 0x00030001 |rename GUID as CS_GUID | table CS_GUID]] | stats count(eval(TRAN_TYPE="275")) as "T275Count" count(eval(ERROR_CODE="Y42R")) as Y42RCount by LEGACY_SYSTEM_NAME | eval Y42RPerc = Y42RCount*100/T275Count| where Y42RCount >5

0 Karma
Reply

p_gurav
Champion
‎03-15-2018 03:39 AM

Hi,

Apparently it's not possible to put all condition in 1 cron schedule, you have to create 4 separate alert with below suggested cron.

  1. 16:30 ET Saturday to 00:30 ET Monday on all weekends :

    Cron : */30 * * * 1,2,3,4,5
    : */30 0-16 * * 6

  2. 00:00 to 08:00 ET on weekdays and 20:00 to 08:00 ET on weekends
    Cron : */30 9-23 * * 1,2,3,4,5
    : */30 8-19 * * 0,6

0 Karma
Reply

p_gurav
Champion
‎03-14-2018 11:49 PM

Foe weekend you want 20:00 to 08:00 ET on weekends this or 16:30 ET Saturday to 00:30 ET Monday on all weekends?

0 Karma
Reply

karthi2809
Builder
‎03-14-2018 11:54 PM

Hi p_gurav

mentioned two alert scenarios

0 Karma
Reply

p_gurav
Champion
‎03-15-2018 12:39 AM

How frequently this alerts are running? You can do this black out thing with cron schedule, but to help you with that I need alert frequency.

0 Karma
Reply

karthi2809
Builder
‎03-15-2018 02:07 AM

every 30 min

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...