Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible for a cron job to run for events from the previous 24 hours?

demkic
Explorer
‎02-16-2017 01:53 PM

Hi, is it possible to run a cron job with the following schedule: 15 7-23/6 *** but have it run for events that happened only in the last 24 hours?

Many thanks!
Daria

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎02-16-2017 02:58 PM

Sure. I read that as, you want it to run daily at 7:15 AM, 1:15 PM, and 7:15 PM. (7-23/6 equates to 7, 13,and 20 - if you want it to run 4 times in between 7 and 23, you'd need to change that to every 5 hours and it would hit 7,12,17 and 22.)

So, just to be clear: For example, when it runs at 7:15 am, do you want it to check all the events from 7:15 the prior day to 7:15 this day? You would just have the search code's earliest value set to either =-24h or =-1d.

Since you're willing to schedule it only every 6 hours, it might be advantageous to use =-1d@h and latest= =@h, so that the 7:15 AM search checks from 7:00 AM the prior day to 7:00 AM the current day.

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎02-16-2017 02:58 PM

Sure. I read that as, you want it to run daily at 7:15 AM, 1:15 PM, and 7:15 PM. (7-23/6 equates to 7, 13,and 20 - if you want it to run 4 times in between 7 and 23, you'd need to change that to every 5 hours and it would hit 7,12,17 and 22.)

So, just to be clear: For example, when it runs at 7:15 am, do you want it to check all the events from 7:15 the prior day to 7:15 this day? You would just have the search code's earliest value set to either =-24h or =-1d.

Since you're willing to schedule it only every 6 hours, it might be advantageous to use =-1d@h and latest= =@h, so that the 7:15 AM search checks from 7:00 AM the prior day to 7:00 AM the current day.

Reply
Solved! Jump to solution

demkic
Explorer
‎02-17-2017 09:37 AM

This is great, thank you for your feedback. I didn't notice that I was able to state a custom time (earliest and latest) within the alert itself.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎02-17-2017 11:24 AM

Yup, an alert just a search that's fit into a special pigeonhole named "alert", so you have most features available to an alert that you have to any other search.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Seamless IT/OT Security: A Hands-On Look at the Cisco Cyber Vision Splunk Add-on

With just a few clicks, you can ingest critical OT asset details, vulnerabilities, baseline deviations, ...