Alerting

Alerting cron Query

Path Finder

Hello,

I have a query that controls authentication to an application.
It is forbidden to connect to the application from 8:00 pm to 7:00 am unless necessary.
i want to do alert when i have connections from 8:00 pm to 7:00 am.
i use cron: 00 20,21,22,23,0,1,2,3,4,5,6,7 * * *

but it's not work. can you help me please?

thanks

Labels (1)
0 Karma
1 Solution

Motivator

Hello @numeroinconnu123 ,

you have to add two more asterisks:

00 20,21,22,23,0,1,2,3,4,5,6,7 * * *

you can actually shorten it to:

0 0-7,20-23 * * *

you can check it here: https://crontab.guru/#00_20,21,22,23,0,1,2,3,4,5,6,7_*_*_*

View solution in original post

0 Karma

Motivator

Hello @numeroinconnu123 ,

you have to add two more asterisks:

00 20,21,22,23,0,1,2,3,4,5,6,7 * * *

you can actually shorten it to:

0 0-7,20-23 * * *

you can check it here: https://crontab.guru/#00_20,21,22,23,0,1,2,3,4,5,6,7_*_*_*

View solution in original post

0 Karma

Path Finder

Thank you. But I copied it wrong, otherwise I have three *** in my expression cron

What happens is I get one alert per hour with normal authentication data. What I want is just the logins between 8:00 pm and 7:00 a.m.

0 Karma

Motivator

you can run a search every hour from 9:00pm and 7:00am and report all logins during the last 60 minutes:

0 21-23,0-7 * * *

This means: “At minute 0 past every hour from 21 through 23 and every hour from 0 through 7.” Link: https://crontab.guru/#0_21-23,0-7_*_*_*

Make sure your splunk search is restricted to the last 60 minutes.

If it still doesn't work then show your query.

Let me know how it went

0 Karma

Path Finder

Thank you @PavelP it works

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!