topic Re: How to write a crontab running from Monday 6 AM through Saturday 2 AM in Splunk Search

How to write a crontab running from Monday 6 AM through Saturday 2 AM

srisplunk12 — Thu, 16 Mar 2017 15:29:13 GMT

How to write a crontab from Monday 6 AM through Saturday 2 AM to run once in a hour.

Re: How to write a crontab running from Monday 6 AM through Saturday 2 AM

gcusello — Thu, 16 Mar 2017 15:48:46 GMT

Hi srisplunk12,
it's not possible to write only one crontab for your need.
The close solution could be to create three alerts with three complementary crontabs:

- 0 * * * 2-5 
- 0 6-23 * * 1 
- 0 0-1 * * 6

Bye.
Giuseppe

Re: How to write a crontab running from Monday 6 AM through Saturday 2 AM

srisplunk12 — Thu, 16 Mar 2017 17:47:53 GMT

thank you @Giuseppe ..but can you please advice as to how do i put all four expressions in a single Splunk alert ?

Re: How to write a crontab running from Monday 6 AM through Saturday 2 AM

woodcock — Thu, 16 Mar 2017 19:44:14 GMT

Check out my (sadly unaccpted) answer here for how to do it:

https://answers.splunk.com/answers/172541/is-it-possible-to-purposely-cause-a-scheduled-sear.html

Re: How to write a crontab running from Monday 6 AM through Saturday 2 AM

gcusello — Fri, 17 Mar 2017 08:09:15 GMT

If the schedule you described is a mandatory rule, the only way is to create three equal alerts with the same search but a different schedule.
Bye.
Giuseppe

Re: How to write a crontab running from Monday 6 AM through Saturday 2 AM

woodcock — Fri, 17 Mar 2017 18:51:05 GMT

Of use my answer which does it.

Re: How to write a crontab running from Monday 6 AM through Saturday 2 AM

srisplunk12 — Fri, 17 Mar 2017 19:40:15 GMT

@cusello Oh ! i wish splunk provides us a possibility to write them in one alert ..anyways thank you for letting me know..

Re: How to write a crontab running from Monday 6 AM through Saturday 2 AM

woodcock — Fri, 17 Mar 2017 22:32:06 GMT

It is possible. Did you look at my answer? Follow the link and that's how to do it.

Re: How to write a crontab running from Monday 6 AM through Saturday 2 AM

gcusello — Sat, 18 Mar 2017 08:55:08 GMT

Hi srisplunk12,
As suggested by Woodcock, you can filter events in your search and using only one crontab, in this way your search runs always but finds events only in the defined window.
Add to your search:

NOT (date_wday="sunday" OR (date_wday="monday" date_hour<2) OR (date_wday="saturday" date_hour>6))

Bye.
Giuseppe

Re: How to write a crontab running from Monday 6 AM through Saturday 2 AM

srisplunk12 — Mon, 20 Mar 2017 16:43:43 GMT

So this is my understanding from the above query..correct me if i am wrong..
It would fetch me events from Monday >2 Am through Saturday < 6 AM.

Re: How to write a crontab running from Monday 6 AM through Saturday 2 AM

srisplunk12 — Thu, 23 Mar 2017 16:00:18 GMT

@cusello ,@woodcock .. can you please say if my above understanding is correct..

Re: How to write a crontab running from Monday 6 AM through Saturday 2 AM

woodcock — Thu, 23 Mar 2017 22:24:51 GMT

Correct, he switched the 6 and the 2 based on your OP.

Re: How to write a crontab running from Monday 6 AM through Saturday 2 AM

srisplunk12 — Tue, 29 Sep 2020 13:23:43 GMT

@woodcock ..so i think this will be my search string to fetch the events from Monday>6 AM to Saturday <2 AM

"NOT (date_wday="sunday" OR (date_wday="monday" date_hour<6) OR (date_wday="saturday" date_hour>2))"

kindly confirm .

Re: How to write a crontab running from Monday 6 AM through Saturday 2 AM

woodcock — Fri, 24 Mar 2017 15:17:28 GMT

Notice the NOT. You should not have switched the comparitors. It should be this:

NOT (date_wday="sunday" OR (date_wday="monday" date_hour<6) OR (date_wday="saturday" date_hour>2))

Re: How to write a crontab running from Monday 6 AM through Saturday 2 AM

srisplunk12 — Fri, 24 Mar 2017 15:58:32 GMT

@woodcock...the only change i could see in your reply is to remove the " " at the start and end..

Re: How to write a crontab running from Monday 6 AM through Saturday 2 AM

woodcock — Fri, 24 Mar 2017 18:12:53 GMT

Never mind. They are the same (you are correct).

Re: How to write a crontab running from Monday 6 AM through Saturday 2 AM

srisplunk12 — Tue, 29 Sep 2020 13:23:57 GMT

@woodcock , not to split hairs, but when you replied "not to switch the comparitors" i thought i will need to change the search string similar to this .. NOT (date_wday="sunday" OR (date_wday="monday" date_hour>6) OR (date_wday="saturday" date_hour<2)).. hence had the question..,,thanks for the help 🙂

Re: How to write a crontab running from Monday 6 AM through Saturday 2 AM

woodcock — Fri, 24 Mar 2017 18:52:30 GMT

I misread the operators in your descriptive text as operators in your search text and posted a hasty answer. Then I noticed my mistake and deleted that update and posted the one that is here now.

Re: How to write a crontab running from Monday 6 AM through Saturday 2 AM

srisplunk12 — Fri, 24 Mar 2017 21:04:11 GMT

ok thanks 🙂