Solved: Can I set timerange in alerts with custom time?

mahesh27 · ‎05-01-2023

I am creating an alert where the time range should be from 7 to 18 and corn schedule is for 5 mins

So in my alert if i give earliest=@d+7h and latest =@d+18h will this works??
And i dont want to receive alert after this time range.

how i can do this??

richgalloway · ‎05-02-2023

To do that, use earliest=-13h latest=-1h

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎05-01-2023

Using earliest=@d+7h latest =@d+18h restricts the search to events that happened during work hours. The alert still runs 24 hours a day so, depending on what triggers the alert, you may still receive an alert after hours.

To prevent an after-hours alert, change the cron schedule to run the alert only from 700-1800.

1-59/5 7-17 * * *

Notice how the last hour is 17 so the last alert runs at 17:56 rather than 18:56.

---
If this reply helps you, Karma would be appreciated.

mahesh27 · ‎05-01-2023

thankyou @richgalloway , it worked.
i have one more question.

if i want to run my alert for last 12 hours, like it should run at 6am and 6pm , and for 6am run it should collect data from 5pm to 5am(12h) and for 6pm run it should take data from 5am to 5pm

this can be done???

richgalloway · ‎05-02-2023

To do that, use earliest=-13h latest=-1h

---
If this reply helps you, Karma would be appreciated.

mahesh27 · ‎05-15-2023

Thankyou @richgalloway if worked

Can I set timerange in alerts with custom time?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies