Can I tag time as scheduled maintenance to exclude events from searches?

I would like to tag various time periods as "scheduled maintenance," so that my application error searches ignore events during these periods. The maintenance periods are irregular and of different durations. If I could transform these periods into custom fields, that would be ideal, I think. Then I could do something like

search "error" scheduled_maintenance=0 | stats etc

Does anyone have a suggestion on how I could achieve this goal?

asked 26 Aug '11, 07:01

jkeglovitz
33●4
accept rate: 0%

One Answer:

oldest newest most voted

I don't know of such support directly. I think I would probably approach it using a dynamic lookup. Your dynamic lookup script could, based on combinations of _time and host, output a field for scheduled_maintenance which you'd then filter on.

A good place to start might be

http://docs.splunk.com/Documentation/Splunk/4.2.3/Knowledge/Addfieldsfromexternaldatasources#Set_up_a_fields_lookup_based_on_an_external_command_or_script

link

answered 26 Aug '11, 10:09

dwaddle ♦
11.2k●1●5●16
accept rate: 34%

edited 26 Aug '11, 10:14

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

time ×196
scheduled ×62
exclude ×9
maintenance ×3

Asked: 26 Aug '11, 07:01

Seen: 493 times

Last updated: 26 Aug '11, 10:14

Can I tag time as scheduled maintenance to exclude events from searches?

Follow this question

Splunk Resources

Related questions