Alerting

How to stop the alerts on maintenance window on a specific day?

yamini26
New Member

We have a monthly release on every month third week Saturday from 1:30 AM to 7 AM and also have regular Sunday maintenance window every week from 2 AM to 5 AM.I want to stop the alerts to be triggering during this two maintenance window.Could someone help me on this.

Tags (1)
0 Karma

niketn
Legend

@yamini26, while events created Sunday with specific hours can be filtered in the base search using date_wday and date_hour, third saturday of month can not be identified in the base search. So your query might look like the following:

<YourBaseSearch> ((date_wday="monday") OR (date_wday="tuesday") OR (date_wday="wednesday") OR (date_wday="thursday") OR (date_wday="friday") OR (date_wday="saturday") OR (date_wday="sunday") AND (date_hour<2 OR date_hour>5))
| eval weekOfMonth=floor(date_mday/7)+1
| search (date_wday!="saturday") OR (date_wday="saturday" AND weekOfMonth!=3) OR (date_wday="saturday" AND weekOfMonth=3 AND ((date_hour<1 AND date_minute<30) OR date_hour>7)
| <YourRemainingSearch>

Another approach could be to have deployment/maintenance window (Date or DateTime) in csv, which you should have at Enterprise so that you can filter blackout time in base search using inputlookup.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

stufty
Path Finder

the eval expression in line 2 abvoe:
| eval weekOfMonth=floor(date_mday/7)+1
should be
| eval date_weekOfMonth=floor((date_mday-1)/7)+1

otherwise the 21st would show as being on the 4th week, for instance.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi yamini26,
you could insert in your search an exclusion condition:

your_search NOT (date_wday=sunday date_hour>1 date_hour<6)

Bye.
Giuseppe

0 Karma

yamini26
New Member

Can you tell me how to stop the alerts on every third week Saturday and every week Sunday.Timings are already mentioned in my question.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi yamini26,
Sorry I forgot the other condition.
you could insert in your search an exclusion condition:

 your_search NOT ((date_wday=sunday OR (date_wday=saturday date_mday>15 date_mday<22)) date_hour>1 date_hour<6)

Bye.
Giuseppe

0 Karma

aakwah
Builder

have a look to this answer, hope it helps

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...