Alerting

How to configure Splunk alert scheduling?

zacksoft_wf
Contributor

My requirement,  is to run this alert with a time range of 12 hours and send email twice a day (every 12 hour) based on what it finds.

Here is my configuration,
Cron Expression : * */12 * * *
Time Range: Last 12 hours
Schedule Priority : Default
Schedule Window : 5 minutes

In my local time it runs between 9:30 AM - 10:30 AM and 9:30 PM - 10:30 PM. But, Between those (say between 9:30 AM to 10:30 AM), it triggers multiple emails alerts, like one alert in every 2 min kind of frequency. 
What I want is, It should send one email during each run. (i.e. One email after every 12 hours).
Can anyone guide what to change in the scheduling options to achieve this ?

Labels (1)
Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @zacksoft_wf,

the solution for your need is the Throttle, that disable your alert for a configurable period after an alert trigger.

So when you save your alert, in addition to the settings you shared, you have to enable throttling for e.g. 2 hours.

In other word you have to:

  • create your search,
  • save it as an Alert,
  • configure the following parameters:
    • Alert Type: scheduled
    • Time Range: 12 hours
    • Cron Expression: * */12 * * *
    • Expires: 24 hours
    • Trigger Alert when results>0
    • Trigger once
    • Throttle flagged
    • Suppress triggering for 11 hours
    • Trigger Actions:
      • Add to triggered alerts
      • Send eMail

Only one hint: I don't like your cron expression, I prefer to define the hors of execution, in other words I'd use:

30 9,21 * * *

in this way, your alert runs at 9.30 and 21.30.

If you want to trigger your alert more times 8every 5 minutes) between 9.30 and 10.30 (AM and PM) but always with the throttle enabled, you could use:

*/5 9,21 * * *

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @zacksoft_wf,

the solution for your need is the Throttle, that disable your alert for a configurable period after an alert trigger.

So when you save your alert, in addition to the settings you shared, you have to enable throttling for e.g. 2 hours.

In other word you have to:

  • create your search,
  • save it as an Alert,
  • configure the following parameters:
    • Alert Type: scheduled
    • Time Range: 12 hours
    • Cron Expression: * */12 * * *
    • Expires: 24 hours
    • Trigger Alert when results>0
    • Trigger once
    • Throttle flagged
    • Suppress triggering for 11 hours
    • Trigger Actions:
      • Add to triggered alerts
      • Send eMail

Only one hint: I don't like your cron expression, I prefer to define the hors of execution, in other words I'd use:

30 9,21 * * *

in this way, your alert runs at 9.30 and 21.30.

If you want to trigger your alert more times 8every 5 minutes) between 9.30 and 10.30 (AM and PM) but always with the throttle enabled, you could use:

*/5 9,21 * * *

Ciao.

Giuseppe

0 Karma

zacksoft_wf
Contributor

Changing the cron expression to what you suggested sorted out my problem.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @zacksoft_wf ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

zacksoft_wf
Contributor

Apart from changing the Cron Expression to  30 9,21 * * *
and turning on throttle  suppress triggering to 11 hours,
Is there anything else I have to change ?
I am particularly thinking about Schedule Window = 5 Minutes.   Should I change it to anything ? What does the Schedule Window option do ?

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @zacksoft_wf,

I usually don't use the schedule window parameter.

Ciao.

Giuseppe

0 Karma

zacksoft_wf
Contributor

I am really sorry for the confusion.
I couldn't see the "throttle" option, then I realized, what I am looking at is not an 'Alert', but a "Scheduled Report". 
Is there a way to suppress the email alerts from a 'Scheduled Report', please ?

But I wonder why did I get so many triggered email for a ScheduledReport. I should get just one at the end of every 12 hour ! Is it because of the 'Scheduling Window' =5 min option that is messing it up ?

 

0 Karma

BahadirS
Path Finder

Hello @zacksoft_wf 

Your cron expression schedules your alert every minute 9:00 to 10:00 and 21:00 to 22:00. Your expression would be

30 */12 * * *

I suggest you to check https://crontab.guru/ before scheduling.

to run it once.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...