Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible for a cron job to run for events from the previous 24 hours?

demkic
Explorer
‎02-16-2017 01:53 PM

Hi, is it possible to run a cron job with the following schedule: 15 7-23/6 *** but have it run for events that happened only in the last 24 hours?

Many thanks!
Daria

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎02-16-2017 02:58 PM

Sure. I read that as, you want it to run daily at 7:15 AM, 1:15 PM, and 7:15 PM. (7-23/6 equates to 7, 13,and 20 - if you want it to run 4 times in between 7 and 23, you'd need to change that to every 5 hours and it would hit 7,12,17 and 22.)

So, just to be clear: For example, when it runs at 7:15 am, do you want it to check all the events from 7:15 the prior day to 7:15 this day? You would just have the search code's earliest value set to either =-24h or =-1d.

Since you're willing to schedule it only every 6 hours, it might be advantageous to use =-1d@h and latest= =@h, so that the 7:15 AM search checks from 7:00 AM the prior day to 7:00 AM the current day.

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎02-16-2017 02:58 PM

Sure. I read that as, you want it to run daily at 7:15 AM, 1:15 PM, and 7:15 PM. (7-23/6 equates to 7, 13,and 20 - if you want it to run 4 times in between 7 and 23, you'd need to change that to every 5 hours and it would hit 7,12,17 and 22.)

So, just to be clear: For example, when it runs at 7:15 am, do you want it to check all the events from 7:15 the prior day to 7:15 this day? You would just have the search code's earliest value set to either =-24h or =-1d.

Since you're willing to schedule it only every 6 hours, it might be advantageous to use =-1d@h and latest= =@h, so that the 7:15 AM search checks from 7:00 AM the prior day to 7:00 AM the current day.

Reply
Solved! Jump to solution

demkic
Explorer
‎02-17-2017 09:37 AM

This is great, thank you for your feedback. I didn't notice that I was able to state a custom time (earliest and latest) within the alert itself.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎02-17-2017 11:24 AM

Yup, an alert just a search that's fit into a special pigeonhole named "alert", so you have most features available to an alert that you have to any other search.

0 Karma
Reply
Get Updates on the Splunk Community!

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...