Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Cron job for below search ?

m7787579
New Member
‎07-27-2017 11:33 PM

HI Splunker,

I have to run my search 11 times in a day in below mentioned timings one search is capturing data from last 12 hours and rest 10 searches capturing last 1 hours data.

One way of doing this is to clone the search and create two searches with same name.

1)1 Report for first search capturing last 12 hours data.
2)1 Report for last 10 searches capturing last 1 hour data

Is there any way of without changing/cloning the search i can do this ?

XYZ Search   
Number  Run At      Start time  End time
1   07:47:00        17:47:00    07:47:00
2   08:47:00        07:47:00    08:47:00
3   09:47:00        08:47:00    09:47:00
4   10:47:00        09:47:00    10:47:00
5   11:47:00        10:47:00    11:47:00
6   12:47:00        11:47:00    12:47:00
7   13:47:00        12:47:00    13:47:00
8   14:47:00        13:47:00    14:47:00
9   15:47:00        14:47:00    15:47:00
10  16:47:00        15:47:00    16:47:00
11  17:47:00        16:47:00    17:47:00
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-28-2017 04:38 AM

Hi
you could:

  • schedule your alert to 47 7,8,9,10,11,12,13,14,15,16,17 * * *

  • set the time period of your search to the last 12 hours

  • and modify your search in this way

    your_search
    | eval hour=if(tonumber(strftime(now(),"%H"))=7,(tonumber(strftime(_time,"%H"))-12),(tonumber(strftime(_time,"%H"))-1))
    | where date_hour>hour
    | ...

In this way if the search is executed at 7, takes events of last 12 hours, if it's executed at a different hour takes events of last hour

Bye.
Giuseppe

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-28-2017 01:16 AM

For the clone approach, make sure you have the bulk of the search stored in a macro to avoid having code duplication - maintenance nightmare.

Without cloning, you'd have to make the search self-aware and inspect its time range as well as schedule time in order to once a day deviate and also search for an additional 13 hours. That's possible to build using subsearches to generate earliest and latest, but from a maintenance and robustness point of view your two searches might be better.
In a way, you are running two different searches. One looks at an entire off-peak time / night, the other looks at a single hour. Depending on what your searches actually are doing, the two might be very different indeed.

Even better, step back a bit and examine your requirements if there's a different approach. To help here we'd need to know more about that.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...