Alerting

Schedule alert with different cron condition

praddasg
Path Finder

Hello All,

I have alert policy which triggers at 10% every 15 minutes. The current expression for this is */15 * * * *

Because overnight and on the weekend the transactions are less hence want to use a different condition i.e. trigger at 50%.
So the question is
1. For the existing 10%, i want to schedule only for weekday from morning 8 AM to 5 PM. Will this be the cron expression */15 8-17 * * 1-4
2. For the new 50% i want to schedule 5PM to next day 8 AM and all day long over the weekend. Will this be the cron expression */15 17-8,0-23 * * 1-4,5-0

0 Karma
1 Solution

manjunathmeti
Champion

Hi @praddasg,

1.This is correct if your weekdays doesn't include Friday. If it includes Friday then change it to:

*/15 8-17 * * 1-5 (Every 15 minutes, between 08:00 AM and 05:59 PM, Monday through Friday)

2.It'll better if you write 2 cron expressions for 50% alert.

Cron 1:

*/15 18-7 * * 1-4 (Every 15 minutes, between 06:00 PM and 07:59 AM, Monday through Thursday)

OR

*/15 18-7 * * 1-5 (Every 15 minutes, between 06:00 PM and 07:59 AM, Monday through Friday)

Cron 2:

*/15 0-23 * * 5-0 (Every 15 minutes, between 12:00 AM and 11:59 PM, Friday through Sunday)

OR

*/15 0-23 * * 6-0 (Every 15 minutes, between 12:00 AM and 11:59 PM, Saturday through Sunday)

View solution in original post

0 Karma

manjunathmeti
Champion

Hi @praddasg,

1.This is correct if your weekdays doesn't include Friday. If it includes Friday then change it to:

*/15 8-17 * * 1-5 (Every 15 minutes, between 08:00 AM and 05:59 PM, Monday through Friday)

2.It'll better if you write 2 cron expressions for 50% alert.

Cron 1:

*/15 18-7 * * 1-4 (Every 15 minutes, between 06:00 PM and 07:59 AM, Monday through Thursday)

OR

*/15 18-7 * * 1-5 (Every 15 minutes, between 06:00 PM and 07:59 AM, Monday through Friday)

Cron 2:

*/15 0-23 * * 5-0 (Every 15 minutes, between 12:00 AM and 11:59 PM, Friday through Sunday)

OR

*/15 0-23 * * 6-0 (Every 15 minutes, between 12:00 AM and 11:59 PM, Saturday through Sunday)

0 Karma

praddasg
Path Finder

Hello @manjunathmeti @rich7177

Thanks for comments, few questions:

  1. As per splunk documentation sunday is treated as 0 Day of the week: 0-6 (where 0 = Sunday)
    https://docs.splunk.com/Documentation/Splunk/8.0.2/Alert/CronExpressions
    is this not correct?

  2. can i not set crons for a single alert like */15 17-8,0-23 * * 1-4,5-0 over here https://share.getcloudapp.com/xQugnl7g
    OR
    Do i have to set two separate alerts (for same conditions i.e. to trigger at 50%) with separate crons one like */15 17-8 * * 1-4 and */15 0-23 * * 5-0

0 Karma

manjunathmeti
Champion

Hi @praddasg,

  1. Yes 0 is Sunday in Day of the week: 0-6.
  2. You need to set two separate alerts (for same conditions i.e. to trigger at 50%) with separate crons one like */15 17-8 * * 1-4 and */15 0-23 * * 5-0

Richfez
SplunkTrust
SplunkTrust

Almost.

*/15 8-17 * * 1-4 will actually only do it Monday to Thursday. You'd want 1-5 to do Monday to Friday. Like */15 8-17 * * 1-4

For your after hours, I think you should separate it into */15 17-23,0-8 * * 1-5 for weekdays after hours, then */15 * * * 6,7 for the weekends.

And that would be your three schedules - the after hours and weekends one would just use the same report cloned.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...