Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Re: How to setup an alert to run during specific t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have a setup an alert that checks the response time of a specific server constantly. My time range is -1m to now and I have scheduled this to run every minute. The alert occurs if the number of events is greater than 3.
The only issue I am having is that it is running 24/7 and I just want it to run during business hours 8am-6pm... is there someway to set it up like this?
Thank you for all your help/support
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try with cron schedule as * 8-17 * * *
“At every minute past every hour from 8 through 17, till 17:59)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try with cron schedule as * 8-17 * * *
“At every minute past every hour from 8 through 17, till 17:59)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll try this! So just to clarify, this should allow it to run real time every minute from 8-17?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By realtime every minutes do you mean a realtime search or historical search with new instance of the search executing every minute? You should be running a historical search (regular search with earliest and latest) not the real-time searches as they are expensive and never end.
I would also suggest to allow some buffer in your timerange to account for indexing delay. So instead of @m to -1m to now, use say -2m@m to -1m@m allowing 1 min for data to be indexed and become searchable.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, historical data with new instance of the search executing every minute. This is great info, I will also modify my timerange. Thanks again!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
