Alerting

How to write a cron schedule for a single alert to run at 4:50 AM and 5:05 AM?

xbbj3nj
Path Finder

Hi All,

How to write a cron a expression that runs only at 4:50 AM and 5:05 AM on a day.

Note: I want to save it as a single alert, I want to run it from Monday through-Friday.

I tried something like below, but it will run @ 4:50 AM and 5:50 AM.
50 4-5 * * * 1-5

I want to run @ 4:50 AM and schedule it for the next 15th minute . Is this possible ? Please let me know.

Tags (3)
0 Karma

jyotipatil14
New Member

try 50,0 4,5 * 1-5 .... ( I tried this and it worked 🙂 )

That is for windows , for Unix replace comma by right slash /

0 Karma

somesoni2
Revered Legend

Couldn't figure out direct method. But this may be a workaround.
Use this cron: 5-49/5 4-5 * * 1-5

This will make your alert search to run 4 time a day from Mon-Fri @ 4:05, 4:50, 5:05, 5:50.
Next step will be to include following filters in your alert search string, in the base search section to basically no action to be taken if its run during 4:05 and 5:50.

e.g. if your alert search is like this

index=_internal ERROR | stats count | where count>0

Alert condition: if no of events > 0

Modified search:
index=_internal ERROR [|gentimes start=-1 | eval hour=tonumber(strftime(now(),"%H")) | eval min=tonumber(strftime(now(),"%M")) | eval search=if((hour=4 AND min<50) OR (hour=5 AND min>5),"1=2","") | table search ]| stats count | where count>0

0 Karma

saivineet
New Member

what is this 5-59/45

0 Karma

somesoni2
Revered Legend

It actually should be just 5-49/5 4-5 * * 1-5. It will run for hour 4 OR 5, every 5 min starting from 5th minute to 49th (minutes are represented as 0 to 59, I'm skipping execution on 0th/50th/55th minute). Then the subsearch will ensure to not to run anything unless hour is 4 and min is 50 OR hour is 5 and minute is 5

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...