Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Will the time range work on specific cron expression when firing alerts once every fifteen minutes?

mkrishnamoorthy
Explorer
‎06-11-2019 10:01 PM

Hey all,

I wanted to fire alerts once in every 15 mins, in between 6am to 8pm everyday. I have written a cron expression as

  • /15 06-20 * * *

.
I selected time-range as last 15 minutes,.

So my question is, What does time-range do here? Will the time range works on specific cron expression?

If am wrong, could you please help me out to fire alerts on specific cron time?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jnudell_2
Builder
‎06-12-2019 06:56 AM

Hi mkrishnamoorthy,
Your cron schedule looks almost right (I'm sure it's the HTML dropping the * character.)
*/15 06-20 * * * will run the search starting from 6AM through 8PM every day of the year.

In the schedule, when you select time range, that's the range of time that Splunk searches from. So if you set it to last 15 minutes, at 6AM Splunk will run the search looking at 5:45AM - 6:00AM for the requested data.

The other way to approach this would be to create an alert that only fires if there are results, and then craft your search to check the time and only present results if the time falls within your scope of 6AM - 8PM.

View solution in original post

Reply
Solved! Jump to solution
Solution

jnudell_2
Builder
‎06-12-2019 06:56 AM

Hi mkrishnamoorthy,
Your cron schedule looks almost right (I'm sure it's the HTML dropping the * character.)
*/15 06-20 * * * will run the search starting from 6AM through 8PM every day of the year.

In the schedule, when you select time range, that's the range of time that Splunk searches from. So if you set it to last 15 minutes, at 6AM Splunk will run the search looking at 5:45AM - 6:00AM for the requested data.

The other way to approach this would be to create an alert that only fires if there are results, and then craft your search to check the time and only present results if the time falls within your scope of 6AM - 8PM.

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-12-2019 06:40 AM

The time range specifies how far back the query will look for events. A time range of 15 minutes is not the same as running every 15 minutes, although each setting should be considerate of the other.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...