Alerting

Schedule alert with different cron condition

praddasg
Path Finder

Hello All,

I have alert policy which triggers at 10% every 15 minutes. The current expression for this is */15 * * * *

Because overnight and on the weekend the transactions are less hence want to use a different condition i.e. trigger at 50%.
So the question is
1. For the existing 10%, i want to schedule only for weekday from morning 8 AM to 5 PM. Will this be the cron expression */15 8-17 * * 1-4
2. For the new 50% i want to schedule 5PM to next day 8 AM and all day long over the weekend. Will this be the cron expression */15 17-8,0-23 * * 1-4,5-0

0 Karma
1 Solution

manjunathmeti
SplunkTrust
SplunkTrust

Hi @praddasg,

1.This is correct if your weekdays doesn't include Friday. If it includes Friday then change it to:

*/15 8-17 * * 1-5 (Every 15 minutes, between 08:00 AM and 05:59 PM, Monday through Friday)

2.It'll better if you write 2 cron expressions for 50% alert.

Cron 1:

*/15 18-7 * * 1-4 (Every 15 minutes, between 06:00 PM and 07:59 AM, Monday through Thursday)

OR

*/15 18-7 * * 1-5 (Every 15 minutes, between 06:00 PM and 07:59 AM, Monday through Friday)

Cron 2:

*/15 0-23 * * 5-0 (Every 15 minutes, between 12:00 AM and 11:59 PM, Friday through Sunday)

OR

*/15 0-23 * * 6-0 (Every 15 minutes, between 12:00 AM and 11:59 PM, Saturday through Sunday)

View solution in original post

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Hi @praddasg,

1.This is correct if your weekdays doesn't include Friday. If it includes Friday then change it to:

*/15 8-17 * * 1-5 (Every 15 minutes, between 08:00 AM and 05:59 PM, Monday through Friday)

2.It'll better if you write 2 cron expressions for 50% alert.

Cron 1:

*/15 18-7 * * 1-4 (Every 15 minutes, between 06:00 PM and 07:59 AM, Monday through Thursday)

OR

*/15 18-7 * * 1-5 (Every 15 minutes, between 06:00 PM and 07:59 AM, Monday through Friday)

Cron 2:

*/15 0-23 * * 5-0 (Every 15 minutes, between 12:00 AM and 11:59 PM, Friday through Sunday)

OR

*/15 0-23 * * 6-0 (Every 15 minutes, between 12:00 AM and 11:59 PM, Saturday through Sunday)

0 Karma

praddasg
Path Finder

Hello @manjunathmeti @rich7177

Thanks for comments, few questions:

  1. As per splunk documentation sunday is treated as 0 Day of the week: 0-6 (where 0 = Sunday)
    https://docs.splunk.com/Documentation/Splunk/8.0.2/Alert/CronExpressions
    is this not correct?

  2. can i not set crons for a single alert like */15 17-8,0-23 * * 1-4,5-0 over here https://share.getcloudapp.com/xQugnl7g
    OR
    Do i have to set two separate alerts (for same conditions i.e. to trigger at 50%) with separate crons one like */15 17-8 * * 1-4 and */15 0-23 * * 5-0

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Hi @praddasg,

  1. Yes 0 is Sunday in Day of the week: 0-6.
  2. You need to set two separate alerts (for same conditions i.e. to trigger at 50%) with separate crons one like */15 17-8 * * 1-4 and */15 0-23 * * 5-0

Richfez
SplunkTrust
SplunkTrust

Almost.

*/15 8-17 * * 1-4 will actually only do it Monday to Thursday. You'd want 1-5 to do Monday to Friday. Like */15 8-17 * * 1-4

For your after hours, I think you should separate it into */15 17-23,0-8 * * 1-5 for weekdays after hours, then */15 * * * 6,7 for the weekends.

And that would be your three schedules - the after hours and weekends one would just use the same report cloned.

0 Karma
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...