Hello,
In one of our Splunk searches, we are triggering an alert when 'Number of Results' is equal to 'zero'. We have scheduled to run this search every 15 mins using Cron expression (i.e. */15 * * * * ). Now, we want to set up a blackout period for this search between 3.30 AM to 8.30 AM.
Can we achieve this by embedding the 'date_hour' & 'date_minute' expression in the search as follows:
source="/cust/app/log/server.log" ShipmentRequest WarehouseId="1234" NOT ("desired text") NOT (date_hour=3 AND date_minute>=29 AND date_minute<=60) NOT (date_hour=4) NOT (date_hour=5) NOT (date_hour=6) NOT (date_hour=7) NOT (date_hour=8 AND date_minute>=0 AND date_minute>=30)
Thanks,
Vinayak
... View more