Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I achieve a CRON schedule that skips a 15 minute interval?

darbritto
Explorer
‎03-29-2023 01:28 PM

Hello Everyone,

 

I have an alert that runs every 15 minutes and checks logs for last 15 minute time span. I want the alert to not run for 1:30 am cycle. 

Currently I am using the cron expression */15 0-1,2-23 * * *

But this will skip all schedules between 1 -2 am [1:00, 1:15, 1:30, 1:45]

Is there anyway I can only skip the alert scheduled at 1:30 am (searches time range 1:15:00 to 1:30:00 ) within one cron schedule. 

I know it can be done easily with 2 schedules but was wondering if this can be achieved within one CRON expression.

 

Thanks.

Labels (2)
Labels
0 Karma
Reply

darbritto
Explorer
‎03-29-2023 02:27 PM

thanks I was able to use a logical variable to set / unset it based on time as a workaround. 

eval alertFlag=if( strftime(info_max_time, "%H:%M")!="01:30",1,0)

Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-29-2023 01:52 PM

It isn't possible by a single cron schedule - you could modify your report so that it checks the current time and returns no results if it is 01:30

Reply

yeahnah
Motivator
‎03-29-2023 02:28 PM

Hi @darbritto 

@ITWhisperer  is correct, either use two cron schedules, or modify your SPL query to not produce results when run at a certain time or time range.  Here's an example I've used in the past

| makeresults
| eval now_hour=ltrim(strftime(now(), "%H"), "0"), now_min=ltrim(strftime(now(), "%M"), "0")
| where now_hour!=1 OR (now_hour=1 AND (now_min >= 30 OR now_min <= 35)) ``` only produce results if the time range is outside of 01:30-01:35 ```

Hope this helps

 

Reply

darbritto
Explorer
‎03-29-2023 02:33 PM

Thanks! 

Since its only one time window I am trying to skip tweaking my search query was much easier. I was able not produce results for that one window with logic something similar to what you had suggested.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...
Top