Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set up cron to run search out of working hours?

woodentree
Communicator
‎03-04-2020 01:55 AM

Hello,

We would like to run a correlation search every 15 minutes but only out of working hours. It means from 6pm to 8am on weekdays and 24 hours on weekends. We thought about the cron below:

14-59/15 18-23,0-7 * * *

However, in this case, we do not cover 8am-6pm scope on weekends, which is not good. Do you have an idea which cron we should use?

Thanks for the help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-04-2020 02:03 AM

One option is schedule two searches - one for weekdays, and one for weekends.
14-59/15 18-23,0-7 * * 1-5 for weekdays
and
14-59/15 * * * 6-7 for weekends

If my comment helps, please give it a thumbs up!

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-04-2020 02:09 AM

Hi @woodentree,
the easiest way is to use a cron every 15 minutes ( */15 * * * * ) and manage the exclusions in the search adding to the main search:

(NOT (date_wday=Sunday OR date_wday=Saturday) date_hour>17 date_hour<8)

but in this way you don't manage the holydays.

To manage holydays, you have to create a calendar lookup and use it for the exclusions.

Ciao.
Giuseppe

Reply
Solved! Jump to solution

woodentree
Communicator
‎03-04-2020 02:23 AM

Hi @gcusello,

Thanks for the help.

I’m afraid it will not work for us. Most of our correlation searches uses tstats with avg , sum or count functions.

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-04-2020 02:03 AM

One option is schedule two searches - one for weekdays, and one for weekends.
14-59/15 18-23,0-7 * * 1-5 for weekdays
and
14-59/15 * * * 6-7 for weekends

If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

woodentree
Communicator
‎03-04-2020 02:18 AM

Hi @nickhillscpl ,

Appreciate your help.

It could be a workaround but I’m afraid not the best one for our circumstances. It will add an additional complexity to maintain a third party inventory tool we have to list our searches in, to set up reporting for management, etc.). Do you know if there is a way to do it in one search?

Thanks.

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎03-04-2020 02:20 AM

In that case, use the solution below from @gcusello !

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

woodentree
Communicator
‎03-04-2020 02:25 AM

Like I've just answered to @gcusello, it looks like it will not be possible for our searches 😞

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...