Other Usage

How to create a Splunk alert cron for monday to friday 7:30 to 8PM ?

taslimsama21
Loves-to-Learn Lots

Hi, 

I am not able to give cron exp for alert to run every 10 min, for Mon to Fri for time 7:30AM to 8:00PM,

can anyone please help for this cron exp?

i only know this -  */10 7-20 * * 1-5

but dont know how give 7:30 min instead 7am in this case. 

 

Thanks, Taslim.

 

 

Labels (1)
Tags (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The cron expression you used will give you 0, 10, 20, 30, 40 and 50 past every hour between 7am and 8pm, Monday to Friday. That means 7:00 to 20:50. As @gcusello  says, with this single expression, you will have to change your search to exclude times outside your desired times. Another alternative, is to have multiple reports with the same search but different schedules to cover the time periods you want e.g.

  • 30,40,50 7 * * 1-5
  • 0 8-20 * * 1-5
  • 10,20,30,40,50 8-19 * * 1-5
0 Karma

taslimsama21
Loves-to-Learn Lots

Hi @ITWhisperer 

I would prefer that exclude result for 7 to 7.30,

can you help me for that how to exclude ? tried few things but not working. 

 

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Are you trying to make it so that if the search runs between 7 and 7:30, there are no results, or trying to exclude events from these times from your search?

0 Karma

taslimsama21
Loves-to-Learn Lots

@ITWhisperer 

my requirement is -

alert to run every 10 min, for Mon to Fri for time 7:30AM to 8:00PM,

but because i dont know how to give minutes in this cron -/10 7-19 * * 1-5 

that's why i will give run for 7am to 8pm and then exclude result for 7.00 to 7.30,

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

That doesn't really answer my question. For example, your search which runs every 10 minutes could be using a relative timeframe to look (back) at the last 5 minutes, or the last 10 minutes or from 15 minutes prior the the current time to 5 minutes prior to the current time. So if this report ran at 7:30 would you want the report to run with this time frame, or to exclude any events which were before 7:30? That is, do you want the time restriction to apply to the events being used by the search?

Alternatively, do you want the report to find no results if it is running before 7:30, no matter what the timeframe of the search is?

0 Karma

taslimsama21
Loves-to-Learn Lots

@ITWhisperer 

basically this will be an alert which will trigger if result is 0 for my search. 

and i want to trigger the alert only between 7:30 AM to 8:00PM and for Monday to Friday.

so if result of my search is 0 for last 10min then trigger alert. and check every 10 min from 7.30AM and check till 8PM. 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Given that you want to trigger when there are no results, this makes it a little trickier because you would have to create a dummy event if the result count is zero outside of the required hours. Try something like this at the end of your alert search

| appendpipe
    [| stats count as _count
    | where _count=0
    | eval ooh=if(tonumber(strftime(time(),"%H%M")) < 730 OR tonumber(strftime(time(),"%H%M")) >= 2000, "Out of hours", null())]
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @taslimsama21,

you could use your cron expression for your search and adding a condition to your search, to exclude results from 7.00 to 7.30.

Ciao.

Giuseppe

0 Karma

taslimsama21
Loves-to-Learn Lots

Hi @gcusello 

not working with below query,

 sourcetype=foo
| eval date_hour=strftime(_time, "%H") | eval date_wday = strftime(_time, "%w")
| search date_hour>=9 date_hour<=18 date_wday>=1 date_wday<=5  

 

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @taslimsama21 ,

please try this:

 sourcetype=foo
| eval 
   date_hour=strftime(_time, "%H"),
   date_minute=strftime(_time, "%M"),
   date_wday = strftime(_time, "%w")
| search (date_hour>=7 date_minute>=30) date_hour<=18 date_wday>=1 date_wday<=5  

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...