Disable Graylog Alert on specific time

Hi All,

Are there any method to setting disable alert time ?
Our system will maintain on every AM 6:00 ~ 6:30.
It’s will be so many alert in that time, so I want to avoid it.

Hello,

Not that I know of, what you can do is pause the stream for that maintenance window. Most alerts have there own stream so you can just pause that stream. If your using “All Messages” stream you can not. Or you can stop the input, probably not ideal but it will work.

@gsmith Thanks for your reply.
I try to set pipeline rule to do this.
But I want to know how can I set “half hour” in the rule ?

rule "add send alert field to message"
when
  to_long(to_date($message.timestamp).hourOfDay) >= 6 &&
  to_long(to_date($message.timestamp).hourOfDay) <= 7

then
  set_field("disable_alert", true);
end

I found the function “minute of hour”, but I don’t know how to define 6:00 to 6:30.
Any idea ?

I believe your pipeline is incorrect.
rule “Between 6 PM and 6 AM”

when
	( to_long(to_date($message.timestamp, "American/Chicago").hourOfDay) >= 0 AND to_long(to_date($message.timestamp, "American/Chicago").hourOfDay) <= 6 ) OR
	( to_long(to_date($message.timestamp, "American/Chicago").hourOfDay) >= 18 AND to_long(to_date($message.timestamp, "American/Chicago").hourOfDay) <= 0 )
then
	set_field("trigger_workhours_off", true);
end

Greater then 6 and less then 6:30, see if that works.

Remember it military time. 
( to_long(to_date($message.timestamp, "American/Chicago").hourOfDay) >= 6 AND to_long(to_date($message.timestamp, "American/Chicago").hourOfDay) <= 6:30 )

EDIT:

@gsmith
It seems can not use “:” in “when” statement.

rule "add send alert field to message"
when
  ( to_long(to_date($message.timestamp, "Aisa/Taipei").hourOfDay) >= 6 AND to_long(to_date($message.timestamp, "Aisa/Taipei").hourOfDay) <= 6:30 )
then
  set_field("disable_alert", true);
end

Instead of 1/2 hour just make it an hour.

@gsmith
so the minimum will be 1 hour right ?

Correct

rule "Between 6 AM and 7 AM"
when
	( to_long(to_date($message.timestamp, "American/Chicago").hourOfDay) >= 6 AND to_long(to_date($message.timestamp, "American/Chicago").hourOfDay) <= 7 ) 
then
	set_field("trigger_workhours_off", true);
end

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.