Solved: Alerting cron Query

numeroinconnu12 · ‎04-14-2020

Hello,

I have a query that controls authentication to an application.
It is forbidden to connect to the application from 8:00 pm to 7:00 am unless necessary.
i want to do alert when i have connections from 8:00 pm to 7:00 am.
i use cron: 00 20,21,22,23,0,1,2,3,4,5,6,7 * * *

but it's not work. can you help me please?

thanks

PavelP · ‎04-14-2020

Hello @numeroinconnu123 ,

you have to add two more asterisks:

00 20,21,22,23,0,1,2,3,4,5,6,7 * * *

you can actually shorten it to:

0 0-7,20-23 * * *

you can check it here: https://crontab.guru/#00_20,21,22,23,0,1,2,3,4,5,6,7_*_*_*

View solution in original post

PavelP · ‎04-14-2020

Hello @numeroinconnu123 ,

you have to add two more asterisks:

00 20,21,22,23,0,1,2,3,4,5,6,7 * * *

you can actually shorten it to:

0 0-7,20-23 * * *

you can check it here: https://crontab.guru/#00_20,21,22,23,0,1,2,3,4,5,6,7_*_*_*

numeroinconnu12 · ‎04-14-2020

Thank you. But I copied it wrong, otherwise I have three *** in my expression cron

What happens is I get one alert per hour with normal authentication data. What I want is just the logins between 8:00 pm and 7:00 a.m.

PavelP · ‎04-14-2020

you can run a search every hour from 9:00pm and 7:00am and report all logins during the last 60 minutes:

0 21-23,0-7 * * *

This means: “At minute 0 past every hour from 21 through 23 and every hour from 0 through 7.” Link: https://crontab.guru/#0_21-23,0-7_*_*_*

Make sure your splunk search is restricted to the last 60 minutes.

If it still doesn't work then show your query.

Let me know how it went

numeroinconnu12 · ‎04-20-2020

Thank you @PavelP it works

Alerting cron Query

cron

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services