Solved: Schedule search every 12 hours

gnovak · ‎06-26-2013

I know this might seem like a simple question, but for some reason today I'm having trouble with this.

I have a search. I created an alert for this search. I want this search to run at 7:30am and search the last 12 hours, alert if there are any results and then run again 12 hours from that time, which would be at 7:30pm.

However I'm having trouble getting this to happen. I have this for the saved alert/search:

Search: sourcetype=TMFErrors eventtype="PlatformSQLException" ETL "No space left on device"
Start Time: -12h@h
End time: Now
Schedule Type: cron
Cron Schedule: 30 7 * * *

This works to have the search run at 7:30am, go back 12 hours and search for errors.

However for running again at 7:30pm, well this doesn't do it.

Is there a way to do this or do I have to have 2 separate searches with alerts? I'm assuming yes but figured I'd ask.

coltadkison · ‎06-26-2013

Your cron schedule only allows the search to run at 7:30 AM.
Cron uses a 24 hour time scheme.

Try setting your Cron schedule to:
30 7,19 * * *

This will have the search run at 0730 and again at 1930 which is 730 PM.

View solution in original post

coltadkison · ‎06-26-2013

Your cron schedule only allows the search to run at 7:30 AM.
Cron uses a 24 hour time scheme.

Try setting your Cron schedule to:
30 7,19 * * *

This will have the search run at 0730 and again at 1930 which is 730 PM.

gnovak · ‎06-26-2013

OMG I totally forgot about that! Thanks you! Crisis averted! 🙂

Schedule search every 12 hours

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...

Splunk and Fraud

Build Your First SPL2 App!