Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Cron Expression to run at every 15th minute daily except on Sunday from 1am to 6.00PM

loureni1
Explorer
‎04-04-2018 11:29 AM

Can you help me with a Cron job to run daily at every 15th minute on every day except Sunday 1.00AM to 6.00AM . On Sunday 1 to 6am system maintenance and don't want to receive any alerts during this time.

0 Karma
Reply

elliotproebstel
Champion
‎04-04-2018 11:54 AM

Personally, I'd schedule the alert to run every 15 minutes of every day and then create a macro called ignore_maintenance_window. The macro code would look like this:

eval is_sunday=if(tonumber(strftime(now(), "%w"))=0, 1, 0), is_blocked_time=if(tonumber(strftime(now(), "%H"))>=1 AND tonumber(strftime(now(), "%H"))<=6, 1, 0) 
| search is_sunday=0 OR is_blocked_time=0
| fields - is_sunday is_blocked_time

This macro will apply to every event two fields is_sunday and is_blocked_time, and the value will be the same for every event, because it's looking at the current time, not the time of the event. It will then filter out all events that are marked as is_sunday=1 and is_blocked_time=1, so assuming your alert will only generate notification if event count is greater than 0, then this will prevent the alert from firing during the maintenance window. You'd apply it like this:

your base search
| `ignore_maintenance_window`
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...