I want to stop getting alerted for specific events that happen which may be increased during maintenance times ( as I don't want to neglect only those alerts, , and I want to avoid them spamming my inbox)
(everyday 11PM-2AM) AND (Sunday 3AM-6AM)
Any advice on this?
@HKLM One of the options would be use two separate crons (Following are once per hour
, but you can increase frequency as per your needs):
1) Mon- Sat which runs from 02:00 AM to 23:00 PM: 0 2-23 * * 1-6
2) Sun from 00:00 AM to 03:00 AM and 06:00 AM to 23:00 PM: 0 0-3,6-23 * * 7
Other option would be to handle in your query based on default extracted time fieldsdate_wday
and date_hour
so that they do not return any events during blackout
maintenance window: https://answers.splunk.com/answers/24824/can-i-set-a-blackout-period-for-a-scheduled-search-during-w...
You can definitely combine both approaches as well. So that Alert does not trigger in maintenance window and query also takes care of the same.
@HKLM One of the options would be use two separate crons (Following are once per hour
, but you can increase frequency as per your needs):
1) Mon- Sat which runs from 02:00 AM to 23:00 PM: 0 2-23 * * 1-6
2) Sun from 00:00 AM to 03:00 AM and 06:00 AM to 23:00 PM: 0 0-3,6-23 * * 7
Other option would be to handle in your query based on default extracted time fieldsdate_wday
and date_hour
so that they do not return any events during blackout
maintenance window: https://answers.splunk.com/answers/24824/can-i-set-a-blackout-period-for-a-scheduled-search-during-w...
You can definitely combine both approaches as well. So that Alert does not trigger in maintenance window and query also takes care of the same.
hi @niketn
thanks for your comment.
Can you clarify the 2nd option. I tried to read through the link you provided, it seems a different issue than mine, I have a query like this;
index="os" sourcetype=DBCon source IN ("os_netlogs") no endpoint listening at http://cic.cb.com/PartyLS_HTTPRout/port
by the way the 2nd cron expression should be 0 0-3,6-23 * * 0
as Sunday is 0 not 7.