2

I have a Sumo Logic alert that works well during business hours on work days.

It is checking on the number of successful calls during the last hour. If the number is below a threshold an alert is generated. The checks are run on an hourly base.

My problem is that at night or on the weekend the expected number is much lower than during business hours. Sometimes there are 1-hour intervals without any calls at all, thus no call succeeds and an alert will be raised.

How can I limit my alerts to the business hours as I don't need monitoring for night time or weekends?

Mjheitland
  • 21
  • 1

2 Answers2

1

For Sumo Logic alerts, the core logic of each alert has to be embedded within the query. In this case you need to filter for business hours inside the query and set the alert to trigger only when there are results. So how do you check for business hours? Use some time conversion function, such as formatDate() https://help.sumologic.com/Search/Search_Query_Language/Search_Operators/formatDate

For example: * | formatDate(_messagetime,"EE") as DayOfWeek | formatDate(_messagetime,"HH") as HourOfDay | where (!(DayOfWeek in ("Sat","Sun"))) and ((HourOfDay>=6 and HourOfDay<=17))

David Ha
  • 187
  • 1
  • 1
  • 10
  • Hi David, Thanks for your answer. I have tried something similar but my problem is that I am looking for successful calls, not for failed calls. For failed calls your approach would work and filter all messages out on weekends / outside of business hours. But for successful calls, we are not getting enough of them at that time, sometimes no calls at all. So it would be great if there is a way to easily simulate successful calls. I used if clauses to change the number of successful calls but to make that work I would still need at least one call per hour, which we are not getting on a Sunday – Mjheitland Sep 20 '16 at 01:21
  • I see, you're right. So I think you'll first need to create a scheduled search of just a simple hourly count for successful calls and save the results to an index (via the "save to index" alert option). IMPORTANT: use "fillmissing" operator, e.g "fillmissing timeslice(1h)" in that search to catch the case when there is no data. Then, build your real alert based on that index - conditioning on the business hours, AND the low count, and trigger only when there are any result returned. – David Ha Sep 20 '16 at 21:54
0

You can also do this with a scheduled search using the custom cron search frequency with a chron that only runs it on weekdays

theannouncer
  • 1,148
  • 16
  • 28