Alerting

How to put an expiration date on a set of saved searches/alerts so after a specified date, they will no longer run?

daniel333
Builder

All,

New to macros, hoping someone can hammer something out for me or at least point me in the right direction. I am not 100% sure Macros are what I need.

Problem:
I want to put expiration dates on a certain set of saved searches. That is, I want this alert after 6/15/2016 to no longer run. The job should run and just log out the alert as expired or something. Also helpful would be a line of code to warns the job is going to expire in 1 month giving the consumer of the job 30 days notice.

Thinking:
What I think I need to do is create a macros on my job that takes a parameter of the date I want it expire on. In the Macro I should set with an eval alertlifetime="good"|"expiringsoon"|"expiring" and include alertlifetime in the alert subject line as a token. But I am not sold on this solution. If there is something better I am open to it.

Example:

tag=java tag=problem expiremacro("6/6/16") | stats count by host, alertlifetime
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Looks like you're anyways hard-coding the date in the search, so I don't see any use of macro as such. My suggestion many not look so clean like your macro implementation, but should do the task. Try something like this

 tag=java tag=problem [| gentimes start=-1 | eval search=if(now()>=strptime("2/16/16","%m/%d/%y"),"1=2",1=1) | table search] 
| stats count by host
| eval Comment=[| gentimes start=-1 | eval DayDiff=abs(round((now()-strptime("2/16/16","%m/%d/%y"))/86400)) | eval search=if(DayDiff<=30,"Alert Expiring in ".tostring(DayDiff)." days","All Good") | table search | eval search="\"".search."\""]

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Looks like you're anyways hard-coding the date in the search, so I don't see any use of macro as such. My suggestion many not look so clean like your macro implementation, but should do the task. Try something like this

 tag=java tag=problem [| gentimes start=-1 | eval search=if(now()>=strptime("2/16/16","%m/%d/%y"),"1=2",1=1) | table search] 
| stats count by host
| eval Comment=[| gentimes start=-1 | eval DayDiff=abs(round((now()-strptime("2/16/16","%m/%d/%y"))/86400)) | eval search=if(DayDiff<=30,"Alert Expiring in ".tostring(DayDiff)." days","All Good") | table search | eval search="\"".search."\""]

marcospmr
Explorer

I'm trying this on 6.4, but it's not working. It's not accepting 1=1 as a argument. Any ideas?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Any specific error you're getting?

0 Karma

marcospmr
Explorer

The count of events is getting 0 results.

For troubleshooting purposes, i've tried to run the search like this:

index=* [| gentimes start=-1 | eval search=if(now()>=strptime("05/30/16","%m/%d/%y"),"1=2","1=1") | table search]

The result is: "No results found."

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try using field name in subsearch as "query" instead of "search".

0 Karma

sk314
Builder

what sorcery is this? 🙂

daniel333
Builder

Wow! I have 0 idea what is going on in that search. But I'll give it a shot tonight. Thanks for getting back to me.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Ok.. so let's make that 0 to some positive number..

[| gentimes start=-1 | eval search=if(now()>=strptime("2/16/16","%m/%d/%y"),"1=2",1=1) | table search] 

The first subsearch (above) compares the current time with cut-off date (2/16/16 here) and returns a string (that's why I used the field name as search so it's value is returned) with 1=2 (current date is after your cut-off date, search will not run) OR 1=1 (just the opposite).

[| gentimes start=-1 | eval DayDiff=abs(round((now()-strptime("2/16/16","%m/%d/%y"))/86400)) | eval search=if(DayDiff<=30,"Alert Expiring in ".tostring(DayDiff)." days","All Good") | table search | eval search="\"".search."\""]

The second subsearch again returns a string "All good" if there are more than 30 days till cut-off date OR alert expiring message with no of days otherwise. (since we set a value of field Comment here, it should be enclosed within double quotes)

joxley
Path Finder

Returning 1=2 into the main search to stop it from running is a really good trick. Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...