Solved: Schedule search every 12 hours

gnovak · ‎06-26-2013

I know this might seem like a simple question, but for some reason today I'm having trouble with this.

I have a search. I created an alert for this search. I want this search to run at 7:30am and search the last 12 hours, alert if there are any results and then run again 12 hours from that time, which would be at 7:30pm.

However I'm having trouble getting this to happen. I have this for the saved alert/search:

Search: sourcetype=TMFErrors eventtype="PlatformSQLException" ETL "No space left on device"
Start Time: -12h@h
End time: Now
Schedule Type: cron
Cron Schedule: 30 7 * * *

This works to have the search run at 7:30am, go back 12 hours and search for errors.

However for running again at 7:30pm, well this doesn't do it.

Is there a way to do this or do I have to have 2 separate searches with alerts? I'm assuming yes but figured I'd ask.

coltadkison · ‎06-26-2013

Your cron schedule only allows the search to run at 7:30 AM.
Cron uses a 24 hour time scheme.

Try setting your Cron schedule to:
30 7,19 * * *

This will have the search run at 0730 and again at 1930 which is 730 PM.

View solution in original post

coltadkison · ‎06-26-2013

Your cron schedule only allows the search to run at 7:30 AM.
Cron uses a 24 hour time scheme.

Try setting your Cron schedule to:
30 7,19 * * *

This will have the search run at 0730 and again at 1930 which is 730 PM.

gnovak · ‎06-26-2013

OMG I totally forgot about that! Thanks you! Crisis averted! 🙂

Schedule search every 12 hours

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation