Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

create scheduled search and alerting between 7pm to 7am

ash2
Explorer
‎10-27-2023 01:42 PM

How to schedule search between 7pm to 7am and alert if and only if there is an event recorded between 7pm to 7am? my cron expression is */15 19-23,0-6 * * *. What should be the earliest and latest value?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-27-2023 05:45 PM

You only need to report if an event arrived since the last time the search ran.  If an event came in earlier then the previous run of the search would have found it.  So, run every 15 minutes and use earliest=-15m or run once at 7am and use earliest=-12h or something in between.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-27-2023 02:08 PM

If the search runs every 15 minutes then there's little reason to search more than 20 minute back.  So, earliest=-20m latest=now.  What is the use case?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ash2
Explorer
‎10-27-2023 02:34 PM

@richgalloway thank you for your reply. so, what im trying to achieve is, i want to trigger an email alert if there is any event between the time period 7pm to next day 7am. I'm using scheduled alerting mechanism. My cron scheduler runs every 15mins starting from 7pm until 7am next day. During this period if it comes across any event record after 7pm and before 7am next day from a search. I want to trigger an email. But im struggling to embed time range for search between 7pm to 7am. 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-27-2023 05:45 PM

You only need to report if an event arrived since the last time the search ran.  If an event came in earlier then the previous run of the search would have found it.  So, run every 15 minutes and use earliest=-15m or run once at 7am and use earliest=-12h or something in between.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-28-2023 12:47 AM

There is a possible use case of searching throughout the whole 7pm-7am range if there is a possibility of an event indexing late (with a significant lag). While typically it signifies problems with data quality or problems with the processing pipeline, there are some ingestion schemes for which that can be a normal mode of operation (for example WEF in pull mode has 30minutes interval by default if I remember correctly).

In such case you can manipulate your time range similarily to

earliest=@d+19h

You should even be able to do (but I haven't tested it since I don't have a Splunk instance available at the moment) something like

earliest=-12h@d+19h

Fiddle with this and check if it's what you need

But if your data is ingested with a constant flow then you should be ok with monitoring just most recently ingested part as @richgalloway said. Either use a searching window slightly longer than your scheduled interval in order not to miss any slightly lagged events or use continuous schedule.

Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...