I want to schedule a saved search to run on Sunday 1 AM every 2 weeks.
i.e. I need a search query to run
July 12,2015 01:00:00 earliest:06/28/2015:00:00:00 latest:07/12/2015:00:00:00
July 26,2015 01:00:00 earliest:07/12/2015:00:00:00 latest:07/26/2015:00:00:00
and so on.
Can anyone help me set up cron and earliest/latest for this scenario.
Thanks
Hi @adityapavan18
Can you confirm if @woodcock's answer below solved your issue? If yes, be sure to click "Accept" directly below his answer to resolve the post. If not, can you please comment on the answer and provide more details?
You can use a Cron expression, see this examples:
http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Definescheduledalerts#Use_cron_notation_for_...
Cron does not have the concept of multiples of weeks. The best you could manage with cron would be to schedule for every Sunday or fixed days of the month.
are you ok, if the savedSearch Runs every week but with the data-set of last 2 weeks? You just need to ignore the week's which you don't want.
It will become very simple in Cron
This is not possible directly. You will have to run it every week and then short-circuit the job using addinfo
and map
for the weeks that it is not supposed to run like this (extra steps for clarity):
| noop | stats count AS runThisWeek | addinfo | eval runThisWeek = if(((tonumber(strftime(now(),"%W"))%2)==1),"YES","NO") | eval earliestMaybe=if((runThisWeek=="YES"), info_min_time, now()) | map search="search earliest=$earliestMaybe$ latest=$info_max_time$ YOUR SEARCH HERE"
For the weeks it is not supposed to run, the search will generate an error.
Refactoring your method in order to not generate an error, just an empty search, it looks like this if the alert is to run whenever there are results...
YOUR SEARCH HERE
[ | noop | stats count AS search
| eval search=if(((tonumber(strftime(now(),"%W"))%2)==1),"SomeLongStringHereWhichWillNeverBeFoundInBloomFilters","")]
| YOUR PROCESSING HERE
Of course, when the alert is to fire if there are NO records, then you'd have to have another clause afterward to create them...
I like the error, but it surely is a matter of taste.
Surely. otherwise known as YMMV.
I sure do wish somebody would click Accept
already!
So did this work for you? If so, make sure you "Accept" an answer to close the question.
I do not think that there is a way to schedule this natively within the cron notation. I would agree with this answer and give it a try. Most *nix admins reference a script in crontab to accomplish this.
Thanks