Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alert suppression

ahuihou
New Member
‎08-28-2018 01:56 PM

What is the best way to run a search to be alerted/emailed between 4pm-6am M-F, weekend and holidays? Should the search include the times or be adjusted in the cron schedule or lookup table? What would the example look like? Thanks.

0 Karma
Reply

Shan
Builder
‎08-29-2018 09:45 PM

@ahuihou,

I think then you need to go for 4 different alert setup.
I don't think you can achieve all condition in same cron schedule.
Please try below option..

“At minute 0 past hour 16, 17, 18, 19, 20, 21, 22, 23, 0, 1, 2, 3, 4, 5, and 6 on Monday, Tuesday, Wednesday, Thursday, and Friday.” 

00 16,17,18,19,20,21,22,23,00,1,2,3,4,5,6 * * Mon,Tue,Wed,Thu,Fri

“At minute 0 past every hour on Saturday and Sunday.” 

00 */1 * * Sat,Sun

“At minute 0 past every hour on Monday.” 

00 */1 * * Mon

“At minute 0 past every hour on Thursday.” 

00 */1 * * Thu

Thanks ..

0 Karma
Reply

ahuihou
New Member
‎08-29-2018 08:39 AM

No alert during the daytime between 6am-4pm M-F. I want an alert during 4pm-6am + all weekend + all holidays. The holidays would be tricky. Would a lookup table or file be the best or a combination of cron + lookup? If so, how is this accomplished?

0 Karma
Reply

Shan
Builder
‎08-29-2018 05:27 AM

@ahuihou,

It's always best to go for cron schedule for your scenario.

Try below cron cmd to schedule for 4pm-6am runs at “At minute 0 past hour 16, 17, 18, 19, 20, 21, 22, 23, 0, 1, 2, 3, 4, 5, and 6.” of ever on everyday. Take cron from 00.

00 16,17,18,19,20,21,22,23,00,1,2,3,4,5,6 * * *
0 Karma
Reply

ahuihou
New Member
‎08-29-2018 09:20 AM

I want to get alerted M-F 4pm-6am + all weekend + all holidays. The tricky part would be the holidays. Would a lookup table + cron be the way to go? If so, how would I accomplish this?

0 Karma
Reply

pruthvikrishnap
Contributor
‎08-28-2018 02:32 PM

Hi,
You can do this by adjusting the cron schedule which looks something like this.
The cron syntax is:

  0 7-19 * * 1-5  (run hourly, 7am-7pm inclusive, Mon-Fri) 
  0 7-16 * * 6  (run hourly, 7am-4pm inclusive, Saturday)

Let me know if this helps.

0 Karma
Reply

ahuihou
New Member
‎08-29-2018 09:20 AM

I want to get alerted M-F 4pm-6am + all weekend + all holidays. The tricky part would be the holidays. Would a lookup table + cron be the way to go? If so, how would I accomplish this?

0 Karma
Reply

Shan
Builder
‎08-29-2018 10:31 AM

@ahuihou,

As per ur comment. I look like u need alert for all whole calendar year .. so u don't wanna specify any day ...

0 Karma
Reply

ahuihou
New Member
‎08-29-2018 01:35 PM

4pm-6am M-F
all day Saturday and Sunday 24hours
Holiday on Monday, all day Monday , Thanksgiving Thursday , all day Thursday. Does that make sense?

0 Karma
Reply

pruthvikrishnap
Contributor
‎08-29-2018 10:27 AM

then you can set an alert to trigger between 4pm-6am everyday.
https://crontab.guru/

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...