Alerting

Splunk Enteprise Security Alert time range settings: How can I configure this time range?

SIEMStudent
Path Finder

Hi Splunkers,

I have to schedule a Saved Search in Splunk Enterprise Security that must be executed in a specific time range.
The task itself is not a problem; I followed  Configure > Content > Content Management -> Create new content -> Saved search and then, cause the search must sent a mail at every activation, I have chosen New Alert.

The problem is the required time range: this alert must detect some kind of activity performed outside job office hour, so 18:01 of current day - 08:59 of day after (this every day). 
So, for example, the search must be "active" starting from today at 18:01 until tomorrow at 08:59.

My doubt is: how can I configure this time range? 
This is the alert configuration window:

SIEMStudent_0-1647257574319.png

 

I thougth about using Crontab, but I'm not sure I can configure a time range wich has not the same day for starting and ending time.
I thougth also about the All time panel but I didn't find anithing that help me to configure this particular time range.

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
* 0-8,18-23 * * *

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
* 0-8,18-23 * * *

SIEMStudent
Path Finder

It works, thanks!

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...