topic Re: Alerting cron Query in Alerting

Alerting cron Query

numeroinconnu12 — Tue, 09 Jun 2020 22:08:00 GMT

Hello,

I have a query that controls authentication to an application.
It is forbidden to connect to the application from 8:00 pm to 7:00 am unless necessary.
i want to do alert when i have connections from 8:00 pm to 7:00 am.
i use cron: 00 20,21,22,23,0,1,2,3,4,5,6,7 * * *

but it's not work. can you help me please?

thanks

Re: Alerting cron Query

PavelP — Tue, 14 Apr 2020 13:55:45 GMT

Hello @numeroinconnu123 ,

you have to add two more asterisks:

00 20,21,22,23,0,1,2,3,4,5,6,7 * * *

you can actually shorten it to:

0 0-7,20-23 * * *

you can check it here: https://crontab.guru/#00_20,21,22,23,0,1,2,3,4,5,6,7_*_*_*

Re: Alerting cron Query

numeroinconnu12 — Tue, 14 Apr 2020 14:06:29 GMT

Thank you. But I copied it wrong, otherwise I have three *** in my expression cron

What happens is I get one alert per hour with normal authentication data. What I want is just the logins between 8:00 pm and 7:00 a.m.

Re: Alerting cron Query

PavelP — Tue, 14 Apr 2020 15:30:20 GMT

you can run a search every hour from 9:00pm and 7:00am and report all logins during the last 60 minutes:

0 21-23,0-7 * * *

This means: “At minute 0 past every hour from 21 through 23 and every hour from 0 through 7.” Link: https://crontab.guru/#0_21-23,0-7_*_*_*

Make sure your splunk search is restricted to the last 60 minutes.

If it still doesn't work then show your query.

Let me know how it went

Re: Alerting cron Query

numeroinconnu12 — Tue, 21 Apr 2020 03:34:14 GMT

Thank you @PavelP it works