- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- How to configure a Real Time Alert to ignore a sch...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to configure a Real Time Alert to ignore a scheduled maintenance window?
Greetings Splunkers,
I have a basic Real Time Alert (RTA) running that looks at all hosts for this message:
Message="The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly."
The RTA works as expected, however we reboot various servers every weekend for patches, which ends up triggering this alert. Is there anything I can do in the search parameters to ignore times from 12A-2A on weekends only? If not, is there another event code I can look at that truly is an unexpected shutdown alert?
Also on a side-note, is there a way to change my username? I didn't see the ability to in preferences.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have a search, you have scheduling options, throttling options, and so on. Your search has some time frame involved in it, and throws an alert if any records are returned in that time frame with the requested characteristics. To kill the alert, just make sure there are no records that come out of the end.
You could, for example, add a time element to the search using _time to get the day and date_hour to get the hour.
[your alert search ]
| eval DayOfWeek=strftime(_time, "%A")
| search DayOfWeek="Saturday" OR DayOfWeek="Sunday" OR date_hour>=2
| [any other formatting you had]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok thanks, trying to figure this one out. This is mine below with your help, though it doesn't seem to work.
host=* Message="The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly." | eval DayOfWeek=strftime(_time, "%A")
| search DayOfWeek!="Saturday" AND date_hour!=0 OR date_hour!=1 OR date_hour!=2 AND DayOfWeek!="Sunday" AND date_hour!=0 OR date_hour!=1 OR date_hour!=2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To expand on this, you can have lookup which contains your defined maintenance windows. Then in the search, compare current alert time to the time window in that lookup. If it is within the time window, do not alert. If it is not in the time window, alert.....
Thats a very high level solution... Writing the search is a bit more complex..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Precisely how is the RTA defined?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you be more specific? Sorry
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
see answer
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
