Alerting

Schedule alert with different cron condition

praddasg
Path Finder

Hello All,

I have alert policy which triggers at 10% every 15 minutes. The current expression for this is */15 * * * *

Because overnight and on the weekend the transactions are less hence want to use a different condition i.e. trigger at 50%.
So the question is
1. For the existing 10%, i want to schedule only for weekday from morning 8 AM to 5 PM. Will this be the cron expression */15 8-17 * * 1-4
2. For the new 50% i want to schedule 5PM to next day 8 AM and all day long over the weekend. Will this be the cron expression */15 17-8,0-23 * * 1-4,5-0

0 Karma
1 Solution

manjunathmeti
Champion

Hi @praddasg,

1.This is correct if your weekdays doesn't include Friday. If it includes Friday then change it to:

*/15 8-17 * * 1-5 (Every 15 minutes, between 08:00 AM and 05:59 PM, Monday through Friday)

2.It'll better if you write 2 cron expressions for 50% alert.

Cron 1:

*/15 18-7 * * 1-4 (Every 15 minutes, between 06:00 PM and 07:59 AM, Monday through Thursday)

OR

*/15 18-7 * * 1-5 (Every 15 minutes, between 06:00 PM and 07:59 AM, Monday through Friday)

Cron 2:

*/15 0-23 * * 5-0 (Every 15 minutes, between 12:00 AM and 11:59 PM, Friday through Sunday)

OR

*/15 0-23 * * 6-0 (Every 15 minutes, between 12:00 AM and 11:59 PM, Saturday through Sunday)

View solution in original post

0 Karma

manjunathmeti
Champion

Hi @praddasg,

1.This is correct if your weekdays doesn't include Friday. If it includes Friday then change it to:

*/15 8-17 * * 1-5 (Every 15 minutes, between 08:00 AM and 05:59 PM, Monday through Friday)

2.It'll better if you write 2 cron expressions for 50% alert.

Cron 1:

*/15 18-7 * * 1-4 (Every 15 minutes, between 06:00 PM and 07:59 AM, Monday through Thursday)

OR

*/15 18-7 * * 1-5 (Every 15 minutes, between 06:00 PM and 07:59 AM, Monday through Friday)

Cron 2:

*/15 0-23 * * 5-0 (Every 15 minutes, between 12:00 AM and 11:59 PM, Friday through Sunday)

OR

*/15 0-23 * * 6-0 (Every 15 minutes, between 12:00 AM and 11:59 PM, Saturday through Sunday)

0 Karma

praddasg
Path Finder

Hello @manjunathmeti @rich7177

Thanks for comments, few questions:

  1. As per splunk documentation sunday is treated as 0 Day of the week: 0-6 (where 0 = Sunday)
    https://docs.splunk.com/Documentation/Splunk/8.0.2/Alert/CronExpressions
    is this not correct?

  2. can i not set crons for a single alert like */15 17-8,0-23 * * 1-4,5-0 over here https://share.getcloudapp.com/xQugnl7g
    OR
    Do i have to set two separate alerts (for same conditions i.e. to trigger at 50%) with separate crons one like */15 17-8 * * 1-4 and */15 0-23 * * 5-0

0 Karma

manjunathmeti
Champion

Hi @praddasg,

  1. Yes 0 is Sunday in Day of the week: 0-6.
  2. You need to set two separate alerts (for same conditions i.e. to trigger at 50%) with separate crons one like */15 17-8 * * 1-4 and */15 0-23 * * 5-0

Richfez
SplunkTrust
SplunkTrust

Almost.

*/15 8-17 * * 1-4 will actually only do it Monday to Thursday. You'd want 1-5 to do Monday to Friday. Like */15 8-17 * * 1-4

For your after hours, I think you should separate it into */15 17-23,0-8 * * 1-5 for weekdays after hours, then */15 * * * 6,7 for the weekends.

And that would be your three schedules - the after hours and weekends one would just use the same report cloned.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...