Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible for a cron job to run for events from the previous 24 hours?

demkic
Explorer
‎02-16-2017 01:53 PM

Hi, is it possible to run a cron job with the following schedule: 15 7-23/6 *** but have it run for events that happened only in the last 24 hours?

Many thanks!
Daria

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎02-16-2017 02:58 PM

Sure. I read that as, you want it to run daily at 7:15 AM, 1:15 PM, and 7:15 PM. (7-23/6 equates to 7, 13,and 20 - if you want it to run 4 times in between 7 and 23, you'd need to change that to every 5 hours and it would hit 7,12,17 and 22.)

So, just to be clear: For example, when it runs at 7:15 am, do you want it to check all the events from 7:15 the prior day to 7:15 this day? You would just have the search code's earliest value set to either =-24h or =-1d.

Since you're willing to schedule it only every 6 hours, it might be advantageous to use =-1d@h and latest= =@h, so that the 7:15 AM search checks from 7:00 AM the prior day to 7:00 AM the current day.

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎02-16-2017 02:58 PM

Sure. I read that as, you want it to run daily at 7:15 AM, 1:15 PM, and 7:15 PM. (7-23/6 equates to 7, 13,and 20 - if you want it to run 4 times in between 7 and 23, you'd need to change that to every 5 hours and it would hit 7,12,17 and 22.)

So, just to be clear: For example, when it runs at 7:15 am, do you want it to check all the events from 7:15 the prior day to 7:15 this day? You would just have the search code's earliest value set to either =-24h or =-1d.

Since you're willing to schedule it only every 6 hours, it might be advantageous to use =-1d@h and latest= =@h, so that the 7:15 AM search checks from 7:00 AM the prior day to 7:00 AM the current day.

Reply
Solved! Jump to solution

demkic
Explorer
‎02-17-2017 09:37 AM

This is great, thank you for your feedback. I didn't notice that I was able to state a custom time (earliest and latest) within the alert itself.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎02-17-2017 11:24 AM

Yup, an alert just a search that's fit into a special pigeonhole named "alert", so you have most features available to an alert that you have to any other search.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...