Alerting

How can I schedule a cron job only once? For example, the alert should stop once a condition is triggered

wanda619
Path Finder

right now i have a cron expression like this - 0 * * * *

so the report is sent out every hour. How can i generate the report only once when the condition is triggered.

 

Thanks! 

Labels (4)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @wanda619,

as @johnhuang said, you can set your alert to send only one message when the alert fires and not one for each result you have in your alert.

If you don't want to receive messages for a predefined time period after a firing, you can set the throttle.

Ciao.

Giuseppe

0 Karma

wanda619
Path Finder

@gcusello right now the alert is set in such way that report is being sent every hour, i am trying to find a way ,so that it sends one report per day.  cron expression i am using is 0 * * * *

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @wanda619,

if you see in the panel where you set the cron schedule, there's an option to throttle events (it's a check flag).

Flagging it you can say to Splunk that if an alert is fired, the alert must be runned again after 24 hours.

Ciao.

Giuseppe

richgalloway
SplunkTrust
SplunkTrust

To limit the number of alerts to one per day, use the Throttle feature.  Edit the alert, check the "Throttle" box, then set the "Suppress triggering for" settings as shown.  Then click Save.

richgalloway_0-1667395185837.png

BTW, try to avoid scheduling alerts at minute 0.  This tends to be the most popular time for running searches so you risk searches being skipped if there aren't enough resources available.

 

---
If this reply helps you, Karma would be appreciated.

johnhuang
Motivator

Not sure if you want one time use alert or one alert per run. For the latter: configure the Trigger to "Once" which will limit the alert to one per run.

johnhuang_0-1667355901519.png

 

0 Karma

wanda619
Path Finder

@johnhuang yes specifically looking for one time use alert,, since now it i giving alert every hour. I am looking to set alert once at the beginning  

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...