Re: Cron Expression to run at every 15th minute da...

loureni1 · ‎04-04-2018

Can you help me with a Cron job to run daily at every 15th minute on every day except Sunday 1.00AM to 6.00AM . On Sunday 1 to 6am system maintenance and don't want to receive any alerts during this time.

elliotproebstel · ‎04-04-2018

Personally, I'd schedule the alert to run every 15 minutes of every day and then create a macro called ignore_maintenance_window. The macro code would look like this:

eval is_sunday=if(tonumber(strftime(now(), "%w"))=0, 1, 0), is_blocked_time=if(tonumber(strftime(now(), "%H"))>=1 AND tonumber(strftime(now(), "%H"))<=6, 1, 0) 
| search is_sunday=0 OR is_blocked_time=0
| fields - is_sunday is_blocked_time

This macro will apply to every event two fields is_sunday and is_blocked_time, and the value will be the same for every event, because it's looking at the current time, not the time of the event. It will then filter out all events that are marked as is_sunday=1 and is_blocked_time=1, so assuming your alert will only generate notification if event count is greater than 0, then this will prevent the alert from firing during the maintenance window. You'd apply it like this:

your base search
| `ignore_maintenance_window`

Cron Expression to run at every 15th minute daily except on Sunday from 1am to 6.00PM

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

What's New in Splunk Observability - October 2025

Are you a member of the Splunk Community?

Cron Expression to run at every 15th minute daily except on Sunday from 1am to 6.00PM

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

What's New in Splunk Observability - October 2025