Splunk Search

How to configure a timechart alert to not trigger between a certain time frame (1:00am - 5:00am)?

raindrop18
Communicator

I am trying to set up an alert based on time chart. My objective is to check user logins, and if no user logged in for 1 hour, send me alert. Also, I don't want to be sent an alert between 1am-5am because of the low traffic on my site during this time frame. This what I have tried, but not working.

index=mysite host=webserver* "user-loggedin" |where NOT (date_wday=monday OR date_wday=tuesday OR date_wday=wednesday OR date_wday=thursday OR date_wday=friday OR date_wday=saturday OR date_wday=sunday) AND (date_hour >=2 AND date_hour<=6)   | timechart count as count span=1hr

The alert should trigger if the count less than 0.

thanks

0 Karma

woodcock
Esteemed Legend

First of all, NEVER use the "free" date_* fields because they are pre-TZ-normalized values so they sometimes do not exist and when they do, they are always wrong; you must make your own and use those.

Secondly, your NOT clause includes ALL DAYS so there is nothing left to use! 😆

Try this:

 index=mysite host=webserver* "user-loggedin"
| eval date_hourmin=strftime(_time, "%H%M") | eval date_wday = strftime(_time, "%w")
| search (date_hourmin<=100 OR date_hourmin>=500)
| timechart count span=1h
0 Karma

sundareshr
Legend

If I understand your use case, you want to a blackout period between 1am & 5 am, right? For this, you should setup a cron schedule, something like this

1 0-2,5-23 * * * 

You could also restrict your search to run only on the last hours data, like this

index=* earliest=-1h@h | ...
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...