How to write a crontab from Monday 6 AM through Saturday 2 AM to run once in a hour.
Check out my (sadly unaccpted) answer here for how to do it:
https://answers.splunk.com/answers/172541/is-it-possible-to-purposely-cause-a-scheduled-sear.html
Check out my (sadly unaccpted) answer here for how to do it:
https://answers.splunk.com/answers/172541/is-it-possible-to-purposely-cause-a-scheduled-sear.html
Hi srisplunk12,
it's not possible to write only one crontab for your need.
The close solution could be to create three alerts with three complementary crontabs:
- 0 * * * 2-5
- 0 6-23 * * 1
- 0 0-1 * * 6
Bye.
Giuseppe
@cusello Oh ! i wish splunk provides us a possibility to write them in one alert ..anyways thank you for letting me know..
Hi srisplunk12,
As suggested by Woodcock, you can filter events in your search and using only one crontab, in this way your search runs always but finds events only in the defined window.
Add to your search:
NOT (date_wday="sunday" OR (date_wday="monday" date_hour<2) OR (date_wday="saturday" date_hour>6))
Bye.
Giuseppe
So this is my understanding from the above query..correct me if i am wrong..
It would fetch me events from Monday >2 Am through Saturday < 6 AM.
@cusello ,@woodcock .. can you please say if my above understanding is correct..
Correct, he switched the 6
and the 2
based on your OP.
@woodcock ..so i think this will be my search string to fetch the events from Monday>6 AM to Saturday <2 AM
"NOT (date_wday="sunday" OR (date_wday="monday" date_hour<6) OR (date_wday="saturday" date_hour>2))"
kindly confirm .
Notice the NOT
. You should not have switched the comparitors. It should be this:
NOT (date_wday="sunday" OR (date_wday="monday" date_hour<6) OR (date_wday="saturday" date_hour>2))
@woodcock...the only change i could see in your reply is to remove the " " at the start and end..
Never mind. They are the same (you are correct).
@woodcock , not to split hairs, but when you replied "not to switch the comparitors" i thought i will need to change the search string similar to this .. NOT (date_wday="sunday" OR (date_wday="monday" date_hour>6) OR (date_wday="saturday" date_hour<2)).. hence had the question..,,thanks for the help 🙂
I misread the operators in your descriptive text as operators in your search text and posted a hasty answer. Then I noticed my mistake and deleted that update and posted the one that is here now.
ok thanks 🙂
It is possible. Did you look at my answer? Follow the link and that's how to do it.
thank you @Giuseppe ..but can you please advice as to how do i put all four expressions in a single Splunk alert ?
If the schedule you described is a mandatory rule, the only way is to create three equal alerts with the same search but a different schedule.
Bye.
Giuseppe
Of use my answer which does it.