topic Re: Schedule an alert in Reporting

Schedule an alert

ankithreddy777 — Thu, 23 Mar 2017 20:21:11 GMT

How to schedule an alert to search for last hour data.
Ex: I have to schedule Alert to search for 9:00am-10:00am data. My Alert is scheduled at 15th min of every hour(15 */1 * * *). At 10:15 am, My alert runs, But I need it to search for last hour data(9-10am). what should be the earliest and the latest time settings?

Re: Schedule an alert

skoelpin — Thu, 23 Mar 2017 20:28:09 GMT

Go to Save As in the upper right corner after you have a search in the search bar and select Alert

There will be 2 fields Earliest and Latest

The Earliest field should have -1h@h
The Latest field should have now

This will set a 1 hour window of the previous hour

You will also see the timeranges populate once you enter in those values

Re: Schedule an alert

ankithreddy777 — Thu, 23 Mar 2017 20:30:33 GMT

If I use latest time as now, then it will search for the data from 9:00-10:15 right? I just need 1 hr data

Re: Schedule an alert

s2_splunk — Thu, 23 Mar 2017 21:06:14 GMT

Just use earliest=-1h@h latest=@h to search from 9-10 (assuming a 10:15/30/45 search run time.
Details here

Re: Schedule an alert

somesoni2 — Thu, 23 Mar 2017 21:14:04 GMT

Use earliest as -1h@h and latest as @h