Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alerting cron Query

numeroinconnu12
Path Finder
‎04-14-2020 06:09 AM

Hello,

I have a query that controls authentication to an application.
It is forbidden to connect to the application from 8:00 pm to 7:00 am unless necessary.
i want to do alert when i have connections from 8:00 pm to 7:00 am.
i use cron: 00 20,21,22,23,0,1,2,3,4,5,6,7 * * *

but it's not work. can you help me please?

thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PavelP
Motivator
‎04-14-2020 06:55 AM

Hello @numeroinconnu123 ,

you have to add two more asterisks:

00 20,21,22,23,0,1,2,3,4,5,6,7 * * *

you can actually shorten it to:

0 0-7,20-23 * * *

you can check it here: https://crontab.guru/#00_20,21,22,23,0,1,2,3,4,5,6,7_*_*_*

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PavelP
Motivator
‎04-14-2020 06:55 AM

Hello @numeroinconnu123 ,

you have to add two more asterisks:

00 20,21,22,23,0,1,2,3,4,5,6,7 * * *

you can actually shorten it to:

0 0-7,20-23 * * *

you can check it here: https://crontab.guru/#00_20,21,22,23,0,1,2,3,4,5,6,7_*_*_*

0 Karma
Reply
Solved! Jump to solution

numeroinconnu12
Path Finder
‎04-14-2020 07:06 AM

Thank you. But I copied it wrong, otherwise I have three *** in my expression cron

What happens is I get one alert per hour with normal authentication data. What I want is just the logins between 8:00 pm and 7:00 a.m.

0 Karma
Reply
Solved! Jump to solution

PavelP
Motivator
‎04-14-2020 08:30 AM

you can run a search every hour from 9:00pm and 7:00am and report all logins during the last 60 minutes:

0 21-23,0-7 * * *

This means: “At minute 0 past every hour from 21 through 23 and every hour from 0 through 7.” Link: https://crontab.guru/#0_21-23,0-7_*_*_*

Make sure your splunk search is restricted to the last 60 minutes.

If it still doesn't work then show your query.

Let me know how it went

0 Karma
Reply
Solved! Jump to solution

numeroinconnu12
Path Finder
‎04-20-2020 08:34 PM

Thank you @PavelP it works

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...