- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to Black out my splunk alert for particular pe...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to Black out my splunk alert for particular period ?
How to Black out my splunk alert for particular period?
There are two different scenarios
firest alert:
1)16:30 ET Saturday to 00:30 ET Monday on all weekends --->black out time
index=Test_PROD source="common" LEGACY_SYSTEM_NAME=Test|rename GUID as CS_GUID| join type=outer CS_GUID [search source="errordetail" NOT [search index=Test_PROD sourcetype="Logging" SEVA+Test OR ACES OR NPI 0x00030001 |rename GUID as CS_GUID | table CS_GUID]] | stats count(eval(TRAN_TYPE="275")) as "T275Count" count(eval(ERROR_CODE="Y42R")) as Y42RCount by LEGACY_SYSTEM_NAME | eval Y42RPerc = Y42RCount*100/T275Count| where Y42RCount >5
Second alert:
00:00 to 08:00 ET on weekdays and 20:00 to 08:00 ET on weekends --->black out time
index=Test_PROD source="common" LEGACY_SYSTEM_NAME=Test|rename GUID as CS_GUID| join type=outer CS_GUID [search source="errordetail" NOT [search index=Test_PROD sourcetype="Logging" SEVA+Test OR ACES OR NPI 0x00030001 |rename GUID as CS_GUID | table CS_GUID]] | stats count(eval(TRAN_TYPE="275")) as "T275Count" count(eval(ERROR_CODE="Y42R")) as Y42RCount by LEGACY_SYSTEM_NAME | eval Y42RPerc = Y42RCount*100/T275Count| where Y42RCount >5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Apparently it's not possible to put all condition in 1 cron schedule, you have to create 4 separate alert with below suggested cron.
16:30 ET Saturday to 00:30 ET Monday on all weekends :
Cron : */30 * * * 1,2,3,4,5
: */30 0-16 * * 600:00 to 08:00 ET on weekdays and 20:00 to 08:00 ET on weekends
Cron : */30 9-23 * * 1,2,3,4,5
: */30 8-19 * * 0,6
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Foe weekend you want 20:00 to 08:00 ET on weekends this or 16:30 ET Saturday to 00:30 ET Monday on all weekends?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi p_gurav
mentioned two alert scenarios
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How frequently this alerts are running? You can do this black out thing with cron schedule, but to help you with that I need alert frequency.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
every 30 min
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
