Solved: How to write corn schedule of alerts for every 5 ...

sagar_shubham · ‎08-22-2018

How to write corn schedule of alerts for every 5 min between 6 am to 11 pm CST everyday in Splunk?
I have written as:
*/5 6-23 * * *

Please suggest if this is correct or not?

sudosplunk · ‎08-22-2018

*/5 6-23 * * *

If your goal is to avoid alert from 12:00 A.M. to 6:00 A.M., then you can use default datetime fields in your search to get the results you want.

In your case, try something like this index=idx sourcetype=st (date_hour >= 6 AND date_hour <= 23) |.....

View solution in original post

inventsekar · ‎08-22-2018

for every 5 min between 6 am to 11 pm everyday.
*/5 6-23 * * *
For CST timezone, i hope, you have set up the splunk server timezone to CST.

For everyone's information...For Cron format learnings...
Example expressions
Here are some example cron expressions.

*/5 * * * *       Every 5 minutes.
*/30 * * * *      Every 30 minutes.
0 */12 * * *      Every 12 hours, on the hour.
*/20 * * * 1-5    Every 20 minutes, Monday through Friday.
0 9 1-7 * 1       First Monday of each month, at 9 AM.

https://docs.splunk.com/Documentation/Splunk/7.1.2/Alert/CronExpressions

sudosplunk · ‎08-22-2018

*/5 6-23 * * *

If your goal is to avoid alert from 12:00 A.M. to 6:00 A.M., then you can use default datetime fields in your search to get the results you want.

In your case, try something like this index=idx sourcetype=st (date_hour >= 6 AND date_hour <= 23) |.....

How to write corn schedule of alerts for every 5 min between 6 am to 11 pm CST everyday in Splunk?

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

Starting With Observability: OpenTelemetry Best Practices

Streamline Data Ingestion With Deployment Server Essentials