Alerting

Create alert - only during working hours

JYTTEJ
Communicator

I need to create an alert which will only trigger during working hours - even if event happened during outside working hours.

The alert should only trigger between 08:00 and 17:00 GMT.

The alert is based on searching for Cxx002W. If this happens between 17:00 and 08:00 GMT - the alert should not be triggered until 08:00 GMT.

I can set up a search which run at 08:00 - and if any Cxx002W between 17:00 and 08:00 GMT - then alert is triggered.

But what do I do during working hours?

I.e. if Cxx002W occur at 11:45 GMT I need the alert to be triggered rigth away

Do you have any good ideas? I want only to set up ONE alert

Tags (1)

ftk
Motivator

You could refine your search using date_hour so it will only bring back results during business hours:

(your search terms) (date_hour > 8 AND date_hour < 17)

Then schedule the search to run over whatever time frame you choose (half hour?) and configure your alerts. The search will only show results between 8am and 5 pm.

JYTTEJ
Communicator

there is very littel traffic on this line. It is not necessary to take action on any incidents during evening/nigth time.This can wait until the following morning.
During working hours we want to take action as soon as possible.

This is the background

0 Karma

maverick
Splunk Employee
Splunk Employee

if you do need to create two alerts for the same reason, but for different time ranges like this answer suggests, put your entire alert search string into a macro and then reference that macro from both alerts. That way, if you need to change the alert conditions, both alerts are updated appropriately.

ftk
Motivator

In that case add a second search that runs at 8am over the past 15 hours and alert on any results.

0 Karma

JYTTEJ
Communicator

Thanks - but this will only select on occurrences which happen between 08:00 and 17:00 - I also need to create an alert if this occurrence happen between 17:00 and 08:00 - but the alert should not be created until after 08:00

So, if the occurrence happen at 01:00 - then the alert should be created at 08:00 the following morning.

If the occurrence happen during day time (08:00 to 17:00) then the alert should be created immediately at scheduled time.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...