Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I include time range fields, Cron Schedule,...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I include time range fields, Cron Schedule, and Alert Condition in my search to validate my Splunk Alert?
Hello Everyone ,
We need to validate our teams Splunk Alerts are correct.
And that the Alert conditions thresholds are set correctly.
I have a search that is effective at looking over the last 30 days of results and counting them against the threshold and time range window.
But if I have an alert with a Cron schedule , then I need to create something more dynamic.
Current Search:
index=Sam SAM_Environment="PROD" BAM_ActivityID="XYGCC_HAPPY" VENDOR_NAME="ABCDVENDING"
|timechart span=15m count earliest= |search count<10
We need this same search to be able to run the Cron parameters.
Time Range : Earliest -16m@m Latest: -1m@m
Cron Schedule : */15 6-22 * * 1-5
Alert Condition : if number of events is less than 10
Any Ideas ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try. It will exclude the events based on your cron time filters (run for hours 6 to 22, mon to fri)
index=Sam SAM_Environment="PROD" BAM_ActivityID="XYGCC_HAPPY" VENDOR_NAME="ABCDVENDING"
| eval Hour=strftime(_time,"%H") | eval Day=strftime(_time,"%w") | where Hour>5 AND Hour<23 AND Day>0 AND Day<6 |timechart span=15m count earliest= |search count<10
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're running a search every 15 minutes and processing 15 mins worth of data, then instead of using timechart, you could use simple stats. and change the alert condition to if number of event is greater than 0 (means fire alert if found any records where count<10.
index=Sam SAM_Environment="PROD" BAM_ActivityID="XYGCC_HAPPY" VENDOR_NAME="ABCDVENDING"
| stats count |search count<10
Time Range : Earliest -16m@m Latest: -1m@m
Cron Schedule : */15 6-22 * 1-5
Alert Condition : if number of events is greater than 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Im sorry maybe I did not word my question the correct way.
What I want to do is run a search query in the search bar that includes all the parameter fields in the Splunk Alert.
So I need to add the cron time frame to my original search query .
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
