I have an idea and am looking for some input on how to approach it, where to start.
As mentioned in the subject. I do not want an alert to be triggered if lets say its Sunday between 1-2 AM. I cannot do this via CRON so looking for an alternative solution.
Questions/Thoughts:
(1) What is the best/simplest way to get from Splunk the Day and Hour
(2) Once I get day & hour how should I incorporate that into my existing alert query. Should I create a var to indicate outage or not (0/1)
(3) Once I determine if I am in an outage (1) is there an easy way to force the alerts results to = 0
I know there are going to be many questions so fire away and I will try to explain or answer the best I can as there are many alerts im trying to make this work for and they are all slightly different in their implementation...
Hour IN (13, 14) would be between 1PM and 3PM not 1AM and 2:59AM. Try Hour != 1 AND Hour !=2
| eval hour=strftime(now(),"%H")
| eval day=strftime(now(),"%d")
| where false()
What I have done is to add these lines at the end of my query, from my initial testing it works.
Is this what you were getting at ?
| eval hour=strftime(now(),"%H")
| eval weekday=strftime(now(),"%w")
| where NOT (hour IN (13,14)) AND weekday != 0
This would not generate any results if its Sunday between 1 AM through 2:59 AM ?
Hour IN (13, 14) would be between 1PM and 3PM not 1AM and 2:59AM. Try Hour != 1 AND Hour !=2