Reporting

How to set up Alert Cron Time Range? Having trouble with false positive

OliverG91
Explorer

Because alert queries normally look back, say the last 15 minutes to the current time, we need to have our jobs start at say 12:15pm thru midnight.

For now our cron schedule is like this: */15 12-23 * * *, which of course runs from 12pm to 23:45. We see an issue where at 12pm, it may produce a false positive; at midnight (the next day) the alert will not run, and thus we may miss an important alert. We want it to run from 12:15pm thru 00:00 (next day), because of the 'look back' to the previous 15 minutes.

It may be very simple, but so far I'm at a loss. What is the correct way of doing this?

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Either modify the search so that it detects the unwanted times and "aborts" or have a separate copy of the alert to just run at midnight

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @OliverG91,

did you tried this?

*/15 0,12-23 * * *

or

*/15 0,12,13,14,15,16,17,18,19,20,21,22,23 * * *

Ciao.

Giuseppe

0 Karma

OliverG91
Explorer
*/15 0,12-23 * * *

The problem with this is that it will also run at 00:15, 00:30 and 00:45, which is outside our alert window. 

*/15 0,12,13,14,15,16,17,18,19,20,21,22,23 * * *

 This one works the same way at the first one.

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @OliverG91,

I'm afraid that in this case the only solution is to have two alarms:

one 

*/15 12-23 * * *

and another 

15 0 * * *

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @OliverG91,

sorry I started the click: you can also put a filter inside the search to discard the times you do not want

So you could use:

 

*/15 12-23 * * *

 

and in the search add the condition in the main search:

your_search NOT (time_hour=0 time_minute>15)

Ciao.

Giuseppe

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Either modify the search so that it detects the unwanted times and "aborts" or have a separate copy of the alert to just run at midnight

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...