Splunk Search

Alert suppression

ahuihou
New Member

What is the best way to run a search to be alerted/emailed between 4pm-6am M-F, weekend and holidays? Should the search include the times or be adjusted in the cron schedule or lookup table? What would the example look like? Thanks.

0 Karma

Shan
Builder

@ahuihou,

I think then you need to go for 4 different alert setup.
I don't think you can achieve all condition in same cron schedule.
Please try below option..

“At minute 0 past hour 16, 17, 18, 19, 20, 21, 22, 23, 0, 1, 2, 3, 4, 5, and 6 on Monday, Tuesday, Wednesday, Thursday, and Friday.” 

00 16,17,18,19,20,21,22,23,00,1,2,3,4,5,6 * * Mon,Tue,Wed,Thu,Fri

“At minute 0 past every hour on Saturday and Sunday.” 

00 */1 * * Sat,Sun

“At minute 0 past every hour on Monday.” 

00 */1 * * Mon

“At minute 0 past every hour on Thursday.” 

00 */1 * * Thu

Thanks ..

0 Karma

ahuihou
New Member

No alert during the daytime between 6am-4pm M-F. I want an alert during 4pm-6am + all weekend + all holidays. The holidays would be tricky. Would a lookup table or file be the best or a combination of cron + lookup? If so, how is this accomplished?

0 Karma

Shan
Builder

@ahuihou,

It's always best to go for cron schedule for your scenario.

Try below cron cmd to schedule for 4pm-6am runs at “At minute 0 past hour 16, 17, 18, 19, 20, 21, 22, 23, 0, 1, 2, 3, 4, 5, and 6.” of ever on everyday. Take cron from 00.

00 16,17,18,19,20,21,22,23,00,1,2,3,4,5,6 * * *
0 Karma

ahuihou
New Member

I want to get alerted M-F 4pm-6am + all weekend + all holidays. The tricky part would be the holidays. Would a lookup table + cron be the way to go? If so, how would I accomplish this?

0 Karma

pruthvikrishnap
Contributor

Hi,
You can do this by adjusting the cron schedule which looks something like this.
The cron syntax is:

  0 7-19 * * 1-5  (run hourly, 7am-7pm inclusive, Mon-Fri) 
  0 7-16 * * 6  (run hourly, 7am-4pm inclusive, Saturday)

Let me know if this helps.

0 Karma

ahuihou
New Member

I want to get alerted M-F 4pm-6am + all weekend + all holidays. The tricky part would be the holidays. Would a lookup table + cron be the way to go? If so, how would I accomplish this?

0 Karma

Shan
Builder

@ahuihou,

As per ur comment. I look like u need alert for all whole calendar year .. so u don't wanna specify any day ...

0 Karma

ahuihou
New Member

4pm-6am M-F
all day Saturday and Sunday 24hours
Holiday on Monday, all day Monday , Thanksgiving Thursday , all day Thursday. Does that make sense?

0 Karma

pruthvikrishnap
Contributor

then you can set an alert to trigger between 4pm-6am everyday.
https://crontab.guru/

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...