Splunk Search

How to write a crontab running from Monday 6 AM through Saturday 2 AM

srisplunk12
Engager

How to write a crontab from Monday 6 AM through Saturday 2 AM to run once in a hour.

0 Karma
1 Solution

woodcock
Esteemed Legend
0 Karma

woodcock
Esteemed Legend
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi srisplunk12,
it's not possible to write only one crontab for your need.
The close solution could be to create three alerts with three complementary crontabs:

- 0 * * * 2-5 
- 0 6-23 * * 1 
- 0 0-1 * * 6

Bye.
Giuseppe

0 Karma

srisplunk12
Engager

@cusello Oh ! i wish splunk provides us a possibility to write them in one alert ..anyways thank you for letting me know..

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi srisplunk12,
As suggested by Woodcock, you can filter events in your search and using only one crontab, in this way your search runs always but finds events only in the defined window.
Add to your search:

NOT (date_wday="sunday" OR (date_wday="monday" date_hour<2) OR (date_wday="saturday" date_hour>6))

Bye.
Giuseppe

0 Karma

srisplunk12
Engager

So this is my understanding from the above query..correct me if i am wrong..
It would fetch me events from Monday >2 Am through Saturday < 6 AM.

0 Karma

srisplunk12
Engager

@cusello ,@woodcock .. can you please say if my above understanding is correct..

0 Karma

woodcock
Esteemed Legend

Correct, he switched the 6 and the 2 based on your OP.

0 Karma

srisplunk12
Engager

@woodcock ..so i think this will be my search string to fetch the events from Monday>6 AM to Saturday <2 AM

"NOT (date_wday="sunday" OR (date_wday="monday" date_hour<6) OR (date_wday="saturday" date_hour>2))"

kindly confirm .

0 Karma

woodcock
Esteemed Legend

Notice the NOT. You should not have switched the comparitors. It should be this:

NOT (date_wday="sunday" OR (date_wday="monday" date_hour<6) OR (date_wday="saturday" date_hour>2))
0 Karma

srisplunk12
Engager

@woodcock...the only change i could see in your reply is to remove the " " at the start and end..

0 Karma

woodcock
Esteemed Legend

Never mind. They are the same (you are correct).

0 Karma

srisplunk12
Engager

@woodcock , not to split hairs, but when you replied "not to switch the comparitors" i thought i will need to change the search string similar to this .. NOT (date_wday="sunday" OR (date_wday="monday" date_hour>6) OR (date_wday="saturday" date_hour<2)).. hence had the question..,,thanks for the help 🙂

0 Karma

woodcock
Esteemed Legend

I misread the operators in your descriptive text as operators in your search text and posted a hasty answer. Then I noticed my mistake and deleted that update and posted the one that is here now.

0 Karma

srisplunk12
Engager

ok thanks 🙂

0 Karma

woodcock
Esteemed Legend

It is possible. Did you look at my answer? Follow the link and that's how to do it.

0 Karma

srisplunk12
Engager

thank you @Giuseppe ..but can you please advice as to how do i put all four expressions in a single Splunk alert ?

0 Karma

gcusello
SplunkTrust
SplunkTrust

If the schedule you described is a mandatory rule, the only way is to create three equal alerts with the same search but a different schedule.
Bye.
Giuseppe

0 Karma

woodcock
Esteemed Legend

Of use my answer which does it.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...