Re: Create an alert for each working day before 8....

gemrose · ‎01-18-2023

Hello Team,

I need to send an alert on all working day at 8.00 AM with a time range of 24hrs except on Monday with a time range of 3 days. Will this be possible in our alert settings for the same SPL query but different time range. OR should we add in SPL query ?

ITWhisperer · ‎01-18-2023

You could append a timeframe adjustment to your base search

<your base search> [| makeresults
| fields - _time
| addinfo
| eval day=strftime(info_max_time, "%w")
| eval period=if(day == 1, "-3d", "-1d")
| eval earliest=relative_time(info_max_time,period)
| eval latest=info_max_time
| fields earliest latest]

Here I have used the end time as the reference point, but you could do similar with info_min_time

scelikok · ‎01-18-2023

Hi @gemrose,

You can setup two alerts with below cron settings and time ranges using the same SPL;

Mondays;
Cron -> 0 8 * * 1
TimeRange --> -3d

Other days;
Cron -> 0 8 * * 2-5 
TimeRange --> -24h

If this reply helps you an upvote and "Accept as Solution" is appreciated.

how to create an alert for each working day before 8.00 AM. (tue- fri) summary from the past 24hr and Mon(3 days)?

alert action

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases