Solved: Splunk Enteprise Security Alert time range setting...

SIEMStudent · ‎03-14-2022

Hi Splunkers,

I have to schedule a Saved Search in Splunk Enterprise Security that must be executed in a specific time range.
The task itself is not a problem; I followed Configure > Content > Content Management -> Create new content -> Saved search and then, cause the search must sent a mail at every activation, I have chosen New Alert.

The problem is the required time range: this alert must detect some kind of activity performed outside job office hour, so 18:01 of current day - 08:59 of day after (this every day).
So, for example, the search must be "active" starting from today at 18:01 until tomorrow at 08:59.

My doubt is: how can I configure this time range?
This is the alert configuration window:

I thougth about using Crontab, but I'm not sure I can configure a time range wich has not the same day for starting and ending time.
I thougth also about the All time panel but I didn't find anithing that help me to configure this particular time range.

ITWhisperer · ‎03-14-2022

* 0-8,18-23 * * *

View solution in original post

ITWhisperer · ‎03-14-2022

* 0-8,18-23 * * *

SIEMStudent · ‎03-16-2022

It works, thanks!

Splunk Enteprise Security Alert time range settings: How can I configure this time range?

cron

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!