Solved: Schedule alert with different cron condition

praddasg · ‎03-04-2020

Hello All,

I have alert policy which triggers at 10% every 15 minutes. The current expression for this is */15 * * * *

Because overnight and on the weekend the transactions are less hence want to use a different condition i.e. trigger at 50%.
So the question is
1. For the existing 10%, i want to schedule only for weekday from morning 8 AM to 5 PM. Will this be the cron expression */15 8-17 * * 1-4
2. For the new 50% i want to schedule 5PM to next day 8 AM and all day long over the weekend. Will this be the cron expression */15 17-8,0-23 * * 1-4,5-0

manjunathmeti · ‎03-04-2020

Hi @praddasg,

1.This is correct if your weekdays doesn't include Friday. If it includes Friday then change it to:

*/15 8-17 * * 1-5 (Every 15 minutes, between 08:00 AM and 05:59 PM, Monday through Friday)

2.It'll better if you write 2 cron expressions for 50% alert.

Cron 1:

*/15 18-7 * * 1-4 (Every 15 minutes, between 06:00 PM and 07:59 AM, Monday through Thursday)

OR

*/15 18-7 * * 1-5 (Every 15 minutes, between 06:00 PM and 07:59 AM, Monday through Friday)

Cron 2:

*/15 0-23 * * 5-0 (Every 15 minutes, between 12:00 AM and 11:59 PM, Friday through Sunday)

OR

*/15 0-23 * * 6-0 (Every 15 minutes, between 12:00 AM and 11:59 PM, Saturday through Sunday)

View solution in original post

manjunathmeti · ‎03-04-2020

Hi @praddasg,

1.This is correct if your weekdays doesn't include Friday. If it includes Friday then change it to:

*/15 8-17 * * 1-5 (Every 15 minutes, between 08:00 AM and 05:59 PM, Monday through Friday)

2.It'll better if you write 2 cron expressions for 50% alert.

Cron 1:

*/15 18-7 * * 1-4 (Every 15 minutes, between 06:00 PM and 07:59 AM, Monday through Thursday)

OR

*/15 18-7 * * 1-5 (Every 15 minutes, between 06:00 PM and 07:59 AM, Monday through Friday)

Cron 2:

*/15 0-23 * * 5-0 (Every 15 minutes, between 12:00 AM and 11:59 PM, Friday through Sunday)

OR

*/15 0-23 * * 6-0 (Every 15 minutes, between 12:00 AM and 11:59 PM, Saturday through Sunday)

praddasg · ‎03-04-2020

Hello @manjunathmeti @rich7177

Thanks for comments, few questions:

As per splunk documentation sunday is treated as 0 Day of the week: 0-6 (where 0 = Sunday)
https://docs.splunk.com/Documentation/Splunk/8.0.2/Alert/CronExpressions
is this not correct?
can i not set crons for a single alert like */15 17-8,0-23 * * 1-4,5-0 over here https://share.getcloudapp.com/xQugnl7g
OR
Do i have to set two separate alerts (for same conditions i.e. to trigger at 50%) with separate crons one like */15 17-8 * * 1-4 and */15 0-23 * * 5-0

manjunathmeti · ‎03-04-2020

Hi @praddasg,

Yes 0 is Sunday in Day of the week: 0-6.
You need to set two separate alerts (for same conditions i.e. to trigger at 50%) with separate crons one like */15 17-8 * * 1-4 and */15 0-23 * * 5-0

Richfez · ‎03-04-2020

Almost.

*/15 8-17 * * 1-4 will actually only do it Monday to Thursday. You'd want 1-5 to do Monday to Friday. Like */15 8-17 * * 1-4

For your after hours, I think you should separate it into */15 17-23,0-8 * * 1-5 for weekdays after hours, then */15 * * * 6,7 for the weekends.

And that would be your three schedules - the after hours and weekends one would just use the same report cloned.

Schedule alert with different cron condition

Cron 1:

OR

Cron 2:

OR

Cron 1:

OR

Cron 2:

OR

Fall Into Learning with New Splunk Education Courses

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes

Are you a member of the Splunk Community?

Schedule alert with different cron condition

Cron 1:

OR

Cron 2:

OR

Cron 1:

OR

Cron 2:

OR

Fall Into Learning with New Splunk Education Courses

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes