I want to schedule a saved search to run on Sunday 1 AM every 2 weeks.
i.e. I need a search query to run
July 12,2015 01:00:00 earliest:06/28/2015:00:00:00 latest:07/12/2015:00:00:00
July 26,2015 01:00:00 earliest:07/12/2015:00:00:00 latest:07/26/2015:00:00:00
and so on.
Can anyone help me set up cron and earliest/latest for this scenario.
Can you confirm if @woodcock's answer below solved your issue? If yes, be sure to click "Accept" directly below his answer to resolve the post. If not, can you please comment on the answer and provide more details?
This is not possible directly. You will have to run it every week and then short-circuit the job using
map for the weeks that it is not supposed to run like this (extra steps for clarity):
| noop | stats count AS runThisWeek | addinfo | eval runThisWeek = if(((tonumber(strftime(now(),"%W"))%2)==1),"YES","NO") | eval earliestMaybe=if((runThisWeek=="YES"), info_min_time, now()) | map search="search earliest=$earliestMaybe$ latest=$info_max_time$ YOUR SEARCH HERE"
For the weeks it is not supposed to run, the search will generate an error.
Refactoring your method in order to not generate an error, just an empty search, it looks like this if the alert is to run whenever there are results...
YOUR SEARCH HERE [ | noop | stats count AS search | eval search=if(((tonumber(strftime(now(),"%W"))%2)==1),"SomeLongStringHereWhichWillNeverBeFoundInBloomFilters","")] | YOUR PROCESSING HERE
Of course, when the alert is to fire if there are NO records, then you'd have to have another clause afterward to create them...
I do not think that there is a way to schedule this natively within the cron notation. I would agree with this answer and give it a try. Most *nix admins reference a script in crontab to accomplish this.