Splunk Alert from 6 am?

karthi2809 · ‎11-10-2017

I have a scenario that the alert need to be triggered at 6 AM , But i will get the logs from 3 AM ? How to set earliest and latest time stamp for the scenario?
In other words it should run every 3hrs. Please help me on same ?

I set earliest :@d+3h and latest :@d+6h

harsmarvania57 · ‎11-10-2017

Hi,

If I am understanding correctlty your schedule search will run at every 3 hours & at 00 minutes and fetch last 3 hours data, in that case earliest time will be -3h@h and latest time will be either now or @h

I hope this helps.

Thanks,
Harshil

karthi2809 · ‎11-10-2017

Thanks,

But i need to set up alert which start from next day 6 am and continuously for every three hours .before that i dont want to alert trigger.

harsmarvania57 · ‎11-10-2017

@karthi2809 Do you mean to say you want to search future data ?

nawneel · ‎11-10-2017

@karthi2809 data come at 0300 HRS and and you want to schedule alert from 0600 at every 3 hours. is that understanding correct ? if so , schedule your alerts from 0300 using CRON and run it for last 3 hours.

Splunk Alert from 6 am?

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Are you a member of the Splunk Community?

Splunk Alert from 6 am?

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions