Dashboards & Visualizations

How to schedule a alert to trigger every hour

aditsss
Motivator

Hi Everyone,

I have one search query as below:

 

index=abc ns=hjk (nodeUrl ="*") Trace_Id=* "*" | stats count by Trace_Id Span_Id ns app_name Log_Time caller nodeUrl nodeHttpStatus nodeResponseTime |rename caller as "Caller"|rename nodeUrl as "Node" |rename nodeHttpStatus as "NodeHttpStatus"|rename nodeResponseTime as "NodeResponseTime"| fields - count|replace "https://tyu/datagraphaccountnode/graphql" with "Account"|replace "https:/fgh/datagraphassetnode/graphql" with "Asset|where NodeResponseTime >5000

 

I want to trigger this hourly.

How can I do this.

 

Labels (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

as @richgalloway and me said this isn't a correct cron definition, you have to define at what minute of the hour you want to run the alert (e.g. at 30) and then put this number in the first position of the cron:

30 * * * * 

This is the same thing that to use the hourly definition in the alert creation panel.

Your definition is correct (and usually used) to schedule an alert e.g. every 15 minutes:

*/15 * * * *

Ciao.

Giuseppe

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Alerts trigger when their trigger criterium (>0 results, for example) is met.  How often that happens depends entirely upon the data the alert searches.

Alerts can be made to *run* every hour very easily.  Go to Settings->Searches, reports, and alerts.  Locate the alert in question, click the Edit link then select "Edit alert".  Set the Alert type to Scheduled then select "Run every hour" from the next dropdown menu.  Click Save and you're done.

---
If this reply helps you, Karma would be appreciated.
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aditsss,

does your search work?

it seems to me to be not correct because the if your want to trigger the alert when 

NodeResponseTime >5000 and NodeResponseTime  isn't an aggregated value you don't ned to put the condition at the end of the search, you could run something more efficient because the first rule to optimize searches is to put conditions as left as possible:

index=abc ns=hjk (nodeUrl ="*") Trace_Id=* "*" nodeResponseTime>5000
| replace "https://tyu/datagraphaccountnode/graphql" with "Account"
| replace "https:/fgh/datagraphassetnode/graphql" with "Asset
| stats count by Trace_Id Span_Id ns app_name Log_Time caller nodeUrl nodeHttpStatus nodeResponseTime 
| rename caller AS "Caller" nodeUrl AS "Node" nodeHttpStatus AS "NodeHttpStatus" nodeResponseTime AS "NodeResponseTime"
| fields - count

 Then the replace command works on row data that you haven't more after stats command.

Then you can put more renames in the same command.

At least you have to save your search as an alert and schedule it hourly and triggered when results are >0.

Ciao.

Giuseppe

0 Karma

aditsss
Motivator

@gcusello @richgalloway 

Thanks for the suggestion.

If I want to trigger it hourly.

Then do I need to take Time Range as last 60 minutes and cron Expression as */60 * * * *

or do I need to take it as RunEveryHour and 30 minutes past the hour.

I want to schedule trigger hourly.

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aditsss,

in the alert definitions form you have also the choice to schedule the alert hourly, without using cron expression: You have only to define at what minute of each hour you want the search execution.

About Time Range it's usually setted as the frequency but it isn't a rule because there could be different requirements.

Ciao.

Giuseppe

0 Karma

aditsss
Motivator

@gcusello 

Is that expression correct for 1 hour (Corn schedule)

 

*/60 * * * *

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aditsss,

as @richgalloway said this isn't a correct cron definition, you have to defineat what minute of the hour you want to run the alert (e.g. at 30) and then put this number in the first position of the cron:

30 * * * * 

This is the same thing that to use the hourly definition in the alert creation panel.

Your definition is correct (and usually used) to schedule an alert e.g. every 15 minutes:

*/15 * * * *

Ciao.

Giuseppe

0 Karma

aditsss
Motivator

@gcusello @richgalloway 

 

Then If I want to trigger alert for every one hour .

I can use last 60 minutes as my search time and then then schedule like this */60 **** for past 0 minutes or 30 minutes.

Am I correct.

0 Karma

gcusello
SplunkTrust
SplunkTrust

as @richgalloway and me said this isn't a correct cron definition, you have to define at what minute of the hour you want to run the alert (e.g. at 30) and then put this number in the first position of the cron:

30 * * * * 

This is the same thing that to use the hourly definition in the alert creation panel.

Your definition is correct (and usually used) to schedule an alert e.g. every 15 minutes:

*/15 * * * *

Ciao.

Giuseppe

richgalloway
SplunkTrust
SplunkTrust

That's not a valid cron string.  See crontab.guru for a great web site for building and checking cron strings.

I tell my customers to pick a minute other than 0,15,30, or 45 for their hourly searches and put that number in the cron.  For example: 7 * * * *

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...