Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set up Alert Cron Time Range? Having trouble with false positive

OliverG91
Explorer
‎04-07-2022 11:57 PM

Because alert queries normally look back, say the last 15 minutes to the current time, we need to have our jobs start at say 12:15pm thru midnight.

For now our cron schedule is like this: */15 12-23 * * *, which of course runs from 12pm to 23:45. We see an issue where at 12pm, it may produce a false positive; at midnight (the next day) the alert will not run, and thus we may miss an important alert. We want it to run from 12:15pm thru 00:00 (next day), because of the 'look back' to the previous 15 minutes.

It may be very simple, but so far I'm at a loss. What is the correct way of doing this?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-08-2022 12:12 AM

Either modify the search so that it detects the unwanted times and "aborts" or have a separate copy of the alert to just run at midnight

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-08-2022 12:01 AM

Hi @OliverG91,

did you tried this?

*/15 0,12-23 * * *

or

*/15 0,12,13,14,15,16,17,18,19,20,21,22,23 * * *

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

OliverG91
Explorer
‎04-08-2022 12:07 AM 
*/15 0,12-23 * * *

The problem with this is that it will also run at 00:15, 00:30 and 00:45, which is outside our alert window. 

*/15 0,12,13,14,15,16,17,18,19,20,21,22,23 * * *

 This one works the same way at the first one.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-08-2022 01:16 AM

Hi @OliverG91,

I'm afraid that in this case the only solution is to have two alarms:

one 

*/15 12-23 * * *

and another 

15 0 * * *

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-08-2022 01:18 AM

Hi @OliverG91,

sorry I started the click: you can also put a filter inside the search to discard the times you do not want

So you could use:

 

*/15 12-23 * * *

 

and in the search add the condition in the main search:

your_search NOT (time_hour=0 time_minute>15)

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-08-2022 12:12 AM

Either modify the search so that it detects the unwanted times and "aborts" or have a separate copy of the alert to just run at midnight

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...