Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to set up Alert Cron Time Range? Having trouble with false positive

OliverG91
Explorer
‎04-07-2022 11:57 PM

Because alert queries normally look back, say the last 15 minutes to the current time, we need to have our jobs start at say 12:15pm thru midnight.

For now our cron schedule is like this: */15 12-23 * * *, which of course runs from 12pm to 23:45. We see an issue where at 12pm, it may produce a false positive; at midnight (the next day) the alert will not run, and thus we may miss an important alert. We want it to run from 12:15pm thru 00:00 (next day), because of the 'look back' to the previous 15 minutes.

It may be very simple, but so far I'm at a loss. What is the correct way of doing this?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-08-2022 12:12 AM

Either modify the search so that it detects the unwanted times and "aborts" or have a separate copy of the alert to just run at midnight

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-08-2022 12:01 AM

Hi @OliverG91,

did you tried this?

*/15 0,12-23 * * *

or

*/15 0,12,13,14,15,16,17,18,19,20,21,22,23 * * *

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

OliverG91
Explorer
‎04-08-2022 12:07 AM 
*/15 0,12-23 * * *

The problem with this is that it will also run at 00:15, 00:30 and 00:45, which is outside our alert window. 

*/15 0,12,13,14,15,16,17,18,19,20,21,22,23 * * *

 This one works the same way at the first one.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-08-2022 01:16 AM

Hi @OliverG91,

I'm afraid that in this case the only solution is to have two alarms:

one 

*/15 12-23 * * *

and another 

15 0 * * *

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-08-2022 01:18 AM

Hi @OliverG91,

sorry I started the click: you can also put a filter inside the search to discard the times you do not want

So you could use:

 

*/15 12-23 * * *

 

and in the search add the condition in the main search:

your_search NOT (time_hour=0 time_minute>15)

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-08-2022 12:12 AM

Either modify the search so that it detects the unwanted times and "aborts" or have a separate copy of the alert to just run at midnight

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...