Alerting

Little confused about Cron schedule for alerts...

Log_wrangler
Builder

I want to schedule a search to run 1 time every hour and email when results > 0.

From the documentation every hour is * * * * * ?

Also I want to optimize the search, does it help to use earliest of - 2d?

Thank you

Tags (1)
0 Karma
1 Solution

tiagofbmm
Influencer

The earliest and latest you rub the search is deeply dependant on what alarm time ranges you are aiming for.

About the cron, once every hour is:

0 * * * *

View solution in original post

0 Karma

tiagofbmm
Influencer

The earliest and latest you rub the search is deeply dependant on what alarm time ranges you are aiming for.

About the cron, once every hour is:

0 * * * *
0 Karma

Log_wrangler
Builder

Thank you for confirming, otherwise all * * * * * would be every minute....

0 Karma

elliotproebstel
Champion

The answer from @tiagofbmm is totally correct, but I want to chime in and suggest that you consider ensuring your scheduled searches are not all scheduled to run at the same time. As you scale and grow, it's easy to run into situations where all your scheduled reports/alerts are trying to run at the same minute, so it's good to get into a habit of scheduling jobs to run on schedules that don't fall on the hour, half hour, etc. I find it useful to be in the practice of writing cron schedules like this:

7 * * * *

That will run the job every hour at 7 minutes past the hour. When I write new cron schedules, I just try to make that offset different every time and aim to avoid "roundish" numbers that are multiples of 5/15/30, since a lot of users will schedule their jobs to run "every 15 minutes", and I want my jobs to avoid colliding with those.

tiagofbmm
Influencer

@elliotproebstel you are correct I didn't want to pass the idea that to run hourly, it has to have a 0 in the first section. Thanks for adding useful info. Upvoted

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...