Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I achieve a CRON schedule that skips a 15 minute interval?

darbritto
Explorer
‎03-29-2023 01:28 PM

Hello Everyone,

 

I have an alert that runs every 15 minutes and checks logs for last 15 minute time span. I want the alert to not run for 1:30 am cycle. 

Currently I am using the cron expression */15 0-1,2-23 * * *

But this will skip all schedules between 1 -2 am [1:00, 1:15, 1:30, 1:45]

Is there anyway I can only skip the alert scheduled at 1:30 am (searches time range 1:15:00 to 1:30:00 ) within one cron schedule. 

I know it can be done easily with 2 schedules but was wondering if this can be achieved within one CRON expression.

 

Thanks.

Labels (2)
Labels
0 Karma
Reply

darbritto
Explorer
‎03-29-2023 02:27 PM

thanks I was able to use a logical variable to set / unset it based on time as a workaround. 

eval alertFlag=if( strftime(info_max_time, "%H:%M")!="01:30",1,0)

Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-29-2023 01:52 PM

It isn't possible by a single cron schedule - you could modify your report so that it checks the current time and returns no results if it is 01:30

Reply

yeahnah
Motivator
‎03-29-2023 02:28 PM

Hi @darbritto 

@ITWhisperer  is correct, either use two cron schedules, or modify your SPL query to not produce results when run at a certain time or time range.  Here's an example I've used in the past

| makeresults
| eval now_hour=ltrim(strftime(now(), "%H"), "0"), now_min=ltrim(strftime(now(), "%M"), "0")
| where now_hour!=1 OR (now_hour=1 AND (now_min >= 30 OR now_min <= 35)) ``` only produce results if the time range is outside of 01:30-01:35 ```

Hope this helps

 

Reply

darbritto
Explorer
‎03-29-2023 02:33 PM

Thanks! 

Since its only one time window I am trying to skip tweaking my search query was much easier. I was able not produce results for that one window with logic something similar to what you had suggested.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...