Splunk Search

Set alert search results to 0 or have my query not find any results on a particular day between 1 AM and 2 AM?

sjringo
Contributor

I have an idea and am looking for some input on how to approach it, where to start.

As mentioned in the subject.  I do not want an alert to be triggered if lets say its Sunday between 1-2 AM.  I cannot do this via CRON so looking for an alternative solution.

Questions/Thoughts:

(1) What is the best/simplest way to get from Splunk the Day and Hour

(2) Once I get day & hour how should I incorporate that into my existing alert query.  Should I create a var to indicate outage or not (0/1)

(3) Once I determine if I am in an outage (1) is there an easy way to force the alerts results to = 0 

I know there are going to be many questions so fire away and I will try to explain or answer the best I can as there are many alerts im trying to make this work for and they are all slightly different in their implementation...

 

0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Hour IN (13, 14) would be between 1PM and 3PM not 1AM and 2:59AM. Try Hour != 1 AND Hour !=2

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| eval hour=strftime(now(),"%H")
| eval day=strftime(now(),"%d")
| where false()
0 Karma

sjringo
Contributor

What I have done is to add these lines at the end of my query, from my initial testing it works.

Is this what you were getting at ?

| eval hour=strftime(now(),"%H")
| eval weekday=strftime(now(),"%w")
| where NOT (hour IN (13,14)) AND weekday != 0

This would not generate any results if its Sunday between 1 AM through 2:59 AM ?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Hour IN (13, 14) would be between 1PM and 3PM not 1AM and 2:59AM. Try Hour != 1 AND Hour !=2

Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...