Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trigger alert according to calendar

katalinali
Path Finder
‎11-22-2010 03:42 AM

Can splunk send me alert according to my one year calendar? Or if it can exclude a number of specific days?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Rob
Splunk Employee
Splunk Employee
‎11-22-2010 12:58 PM

You can set up the alerts using cron which will allow you to define when you want to run a saved search and send an alert with the results.

This can be done by selecting a saved search under 'Manager>>Searches and Reports'.

Cron syntax for once a year on January 1st would be (include the spaces between characters):

0 0 1 1 *

Where the first '0' is the minute of the hour (accepted values are 0-59)

-- The second '0" is the hour of the day (accepted values are 0-23)

-- The first '1' is the day of the month (accepted values are 1-31)

-- The second '1' is the month of the year (accepted values are 1-12)

-- The last '*' is for the day of the week (accepted values are 0-6 where 0 = Sunday, 1 = Monday, etc. The * characters represents all legal values for the column.)

Cron works in an inclusive manner. Which means that to exclude dates and times you would want to include all the dates and times when you would want cron to run the alert. This can be done by including a comma between values. Here is an example cron line for Monday, Wednesday, and Friday.

* * * * 1,3,5

If your exclusion rule is more specific, you may want to clone the search/alert and include another cron job to run. For example, if you wish to not run alerts for the 24th and 25th of December but would like it every other work day then the two cron lines that you will want for the same cloned search would be: (all entries below would be run at midnight)

* * * 1-11 1-5

* * 1-23,26-31 12 1-5

View solution in original post

Reply
Solved! Jump to solution
Solution

Rob
Splunk Employee
Splunk Employee
‎11-22-2010 12:58 PM

You can set up the alerts using cron which will allow you to define when you want to run a saved search and send an alert with the results.

This can be done by selecting a saved search under 'Manager>>Searches and Reports'.

Cron syntax for once a year on January 1st would be (include the spaces between characters):

0 0 1 1 *

Where the first '0' is the minute of the hour (accepted values are 0-59)

-- The second '0" is the hour of the day (accepted values are 0-23)

-- The first '1' is the day of the month (accepted values are 1-31)

-- The second '1' is the month of the year (accepted values are 1-12)

-- The last '*' is for the day of the week (accepted values are 0-6 where 0 = Sunday, 1 = Monday, etc. The * characters represents all legal values for the column.)

Cron works in an inclusive manner. Which means that to exclude dates and times you would want to include all the dates and times when you would want cron to run the alert. This can be done by including a comma between values. Here is an example cron line for Monday, Wednesday, and Friday.

* * * * 1,3,5

If your exclusion rule is more specific, you may want to clone the search/alert and include another cron job to run. For example, if you wish to not run alerts for the 24th and 25th of December but would like it every other work day then the two cron lines that you will want for the same cloned search would be: (all entries below would be run at midnight)

* * * 1-11 1-5

* * 1-23,26-31 12 1-5

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...