Alerting

Schedule search every 12 hours

gnovak
Builder

I know this might seem like a simple question, but for some reason today I'm having trouble with this.

I have a search. I created an alert for this search. I want this search to run at 7:30am and search the last 12 hours, alert if there are any results and then run again 12 hours from that time, which would be at 7:30pm.

However I'm having trouble getting this to happen. I have this for the saved alert/search:

Search: sourcetype=TMFErrors eventtype="PlatformSQLException" ETL "No space left on device"
Start Time: -12h@h
End time: Now
Schedule Type: cron
Cron Schedule: 30 7 * * *

This works to have the search run at 7:30am, go back 12 hours and search for errors.

However for running again at 7:30pm, well this doesn't do it.

Is there a way to do this or do I have to have 2 separate searches with alerts? I'm assuming yes but figured I'd ask.

Tags (1)
0 Karma
1 Solution

coltadkison
Explorer

Your cron schedule only allows the search to run at 7:30 AM.
Cron uses a 24 hour time scheme.

Try setting your Cron schedule to:
30 7,19 * * *

This will have the search run at 0730 and again at 1930 which is 730 PM.

View solution in original post

coltadkison
Explorer

Your cron schedule only allows the search to run at 7:30 AM.
Cron uses a 24 hour time scheme.

Try setting your Cron schedule to:
30 7,19 * * *

This will have the search run at 0730 and again at 1930 which is 730 PM.

gnovak
Builder

OMG I totally forgot about that! Thanks you! Crisis averted! 🙂

Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...