Alerting

Little confused about Cron schedule for alerts...

Builder

I want to schedule a search to run 1 time every hour and email when results > 0.

From the documentation every hour is * * * * * ?

Also I want to optimize the search, does it help to use earliest of - 2d?

Thank you

Tags (1)
0 Karma
1 Solution

Influencer

The earliest and latest you rub the search is deeply dependant on what alarm time ranges you are aiming for.

About the cron, once every hour is:

0 * * * *

View solution in original post

0 Karma

Influencer

The earliest and latest you rub the search is deeply dependant on what alarm time ranges you are aiming for.

About the cron, once every hour is:

0 * * * *

View solution in original post

0 Karma

Builder

Thank you for confirming, otherwise all * * * * * would be every minute....

0 Karma

The answer from @tiagofbmm is totally correct, but I want to chime in and suggest that you consider ensuring your scheduled searches are not all scheduled to run at the same time. As you scale and grow, it's easy to run into situations where all your scheduled reports/alerts are trying to run at the same minute, so it's good to get into a habit of scheduling jobs to run on schedules that don't fall on the hour, half hour, etc. I find it useful to be in the practice of writing cron schedules like this:

7 * * * *

That will run the job every hour at 7 minutes past the hour. When I write new cron schedules, I just try to make that offset different every time and aim to avoid "roundish" numbers that are multiples of 5/15/30, since a lot of users will schedule their jobs to run "every 15 minutes", and I want my jobs to avoid colliding with those.

Influencer

@elliotproebstel you are correct I didn't want to pass the idea that to run hourly, it has to have a 0 in the first section. Thanks for adding useful info. Upvoted

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!