Alerting

Splunk Enteprise Security Alert time range settings: How can I configure this time range?

SIEMStudent
Path Finder

Hi Splunkers,

I have to schedule a Saved Search in Splunk Enterprise Security that must be executed in a specific time range.
The task itself is not a problem; I followed  Configure > Content > Content Management -> Create new content -> Saved search and then, cause the search must sent a mail at every activation, I have chosen New Alert.

The problem is the required time range: this alert must detect some kind of activity performed outside job office hour, so 18:01 of current day - 08:59 of day after (this every day). 
So, for example, the search must be "active" starting from today at 18:01 until tomorrow at 08:59.

My doubt is: how can I configure this time range? 
This is the alert configuration window:

SIEMStudent_0-1647257574319.png

 

I thougth about using Crontab, but I'm not sure I can configure a time range wich has not the same day for starting and ending time.
I thougth also about the All time panel but I didn't find anithing that help me to configure this particular time range.

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
* 0-8,18-23 * * *

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
* 0-8,18-23 * * *

SIEMStudent
Path Finder

It works, thanks!

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...