Alerting

How to set up an alert for next hour and start time should be every 6 hours?

Explorer

I have setup an alert which i have scheduled to run in every 6 hours (00,06,12,18).

There i have mentioned -
Earliest = 6h@h Latest=@h

Cron Schedule = 0 */6 * * *

Its sending me report in every 6 hours i.e 00:00 AM, 06:00 AM, 12:00 PM, 18:00 PM
But inside the report i am getting result starting from 21/05/2017 22:59:32 1 hour earlier can it be possible i can get the result starting from 00:00.

0 Karma

Champion

Look into setting your time window for the search (not the scheduled time) by using the "snap to time" modifiers, that way your earliest/latest will be well defined, and not based on the time the search runs.

SearchTimeModifiers

Specify a snap to time unit

You can specify a snap to time unit. The time unit indicates the nearest or latest time to which your time amount rounds down. Separate the time amount from the "snap to" time unit with an "@" character.

    You can use any of time units listed previously. For example:
        @w, @week, and @w0 for Sunday
        @month for the beginning of the month
        @q, @qtr, or @quarter for the beginning of the most recent quarter (Jan 1, Apr 1, Jul 1, or Oct 1). 
    You can specify a day of the week: w0 (Sunday), w1, w2, w3, w4, w5 and w6 (Saturday). For Sunday, you can specify w0 or w7.
    You can also specify offsets from the snap-to-time or "chain" together the time modifiers for more specific relative time definitions. For example, @d-2h snaps to the beginning of today (12:00 A.M.) and subtracts 2 hours from that time.
    When snapping to the nearest or latest time, Splunk software always snaps backwards or rounds down to the latest time not after the specified time. For example, if it is 11:59:00 and you "snap to" hours, you will snap to 11:00 not 12:00.
    If you do not specify a time offset before the "snap to" amount, Splunk software interprets the time as "current time snapped to" the specified amount. For example, if it is currently 11:59 PM on Friday and you use @w6 to "snap to Saturday", the resulting time is the previous Saturday at 12:01 A.M.
0 Karma

SplunkTrust
SplunkTrust

The value 21/05/2017 22:59:32 is the value of _time field OR text in your raw data? It may be the case that your data is in different timezone than your user profile/splunk server timezone.

0 Karma

SplunkTrust
SplunkTrust

@m7787580... Can you change to cron to run one minute past every 6th hour

1 */6 * * *

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

SplunkTrust
SplunkTrust

Depending on the level of your data flow, you probably want to give the system at least two minutes to index whatever events happen on the last minute in a particular hour, so I'd suggest following @niketnilay's advice but having your alert run 2-5 minutes after the hour.

0 Karma