I supposed to get the some data in Splunk twice in a day. I want to create 2 email alerts as follows:
Hi @mnj1809,
if I correctly understood, you want to schedule:
Is it correct?
If the time period is the same 8always 12 hours) you could schedule only one alert using this cron expression
0 9,15 * * *
Otherwise, you have to schedule two alerts that differ only for the time period, in other words:
Alert 1, scheduled at 9.00
cron
0 9 * * *
Search
index=your_index earliest=-21h@h latest=-4h@h
Alert 2, scheduled at 15.00
cron
0 15 * * *
search
index=your_index earliest=-10h@h latest=-3h@h
The condition is always
results=0
Ciao.
Giuseppe
Hi @mnj1809,
if I correctly understood, you want to schedule:
Is it correct?
If the time period is the same 8always 12 hours) you could schedule only one alert using this cron expression
0 9,15 * * *
Otherwise, you have to schedule two alerts that differ only for the time period, in other words:
Alert 1, scheduled at 9.00
cron
0 9 * * *
Search
index=your_index earliest=-21h@h latest=-4h@h
Alert 2, scheduled at 15.00
cron
0 15 * * *
search
index=your_index earliest=-10h@h latest=-3h@h
The condition is always
results=0
Ciao.
Giuseppe
Thanks for you answer. Your answer helped me what I want to achieve.
Hi @mnj1809,
good for you, see next time!
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated 😉