Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I achieve a CRON schedule that skips a 15 minute interval?

darbritto
Explorer
‎03-29-2023 01:28 PM

Hello Everyone,

 

I have an alert that runs every 15 minutes and checks logs for last 15 minute time span. I want the alert to not run for 1:30 am cycle. 

Currently I am using the cron expression */15 0-1,2-23 * * *

But this will skip all schedules between 1 -2 am [1:00, 1:15, 1:30, 1:45]

Is there anyway I can only skip the alert scheduled at 1:30 am (searches time range 1:15:00 to 1:30:00 ) within one cron schedule. 

I know it can be done easily with 2 schedules but was wondering if this can be achieved within one CRON expression.

 

Thanks.

Labels (2)
Labels
0 Karma
Reply

darbritto
Explorer
‎03-29-2023 02:27 PM

thanks I was able to use a logical variable to set / unset it based on time as a workaround. 

eval alertFlag=if( strftime(info_max_time, "%H:%M")!="01:30",1,0)

Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-29-2023 01:52 PM

It isn't possible by a single cron schedule - you could modify your report so that it checks the current time and returns no results if it is 01:30

Reply

yeahnah
Motivator
‎03-29-2023 02:28 PM

Hi @darbritto 

@ITWhisperer  is correct, either use two cron schedules, or modify your SPL query to not produce results when run at a certain time or time range.  Here's an example I've used in the past

| makeresults
| eval now_hour=ltrim(strftime(now(), "%H"), "0"), now_min=ltrim(strftime(now(), "%M"), "0")
| where now_hour!=1 OR (now_hour=1 AND (now_min >= 30 OR now_min <= 35)) ``` only produce results if the time range is outside of 01:30-01:35 ```

Hope this helps

 

Reply

darbritto
Explorer
‎03-29-2023 02:33 PM

Thanks! 

Since its only one time window I am trying to skip tweaking my search query was much easier. I was able not produce results for that one window with logic something similar to what you had suggested.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...