How to create a Splunk alert cron for monday to fr...

taslimsama21 · ‎08-16-2023

Hi,

I am not able to give cron exp for alert to run every 10 min, for Mon to Fri for time 7:30AM to 8:00PM,

can anyone please help for this cron exp?

i only know this - */10 7-20 * * 1-5

but dont know how give 7:30 min instead 7am in this case.

Thanks, Taslim.

ITWhisperer · ‎08-16-2023

The cron expression you used will give you 0, 10, 20, 30, 40 and 50 past every hour between 7am and 8pm, Monday to Friday. That means 7:00 to 20:50. As @gcusello says, with this single expression, you will have to change your search to exclude times outside your desired times. Another alternative, is to have multiple reports with the same search but different schedules to cover the time periods you want e.g.

30,40,50 7 * * 1-5
0 8-20 * * 1-5
10,20,30,40,50 8-19 * * 1-5

taslimsama21 · ‎08-16-2023

Hi @ITWhisperer

I would prefer that exclude result for 7 to 7.30,

can you help me for that how to exclude ? tried few things but not working.

ITWhisperer · ‎08-16-2023

Are you trying to make it so that if the search runs between 7 and 7:30, there are no results, or trying to exclude events from these times from your search?

taslimsama21 · ‎08-16-2023

@ITWhisperer

my requirement is -

alert to run every 10 min, for Mon to Fri for time 7:30AM to 8:00PM,

but because i dont know how to give minutes in this cron -/10 7-19 * * 1-5

that's why i will give run for 7am to 8pm and then exclude result for 7.00 to 7.30,

ITWhisperer · ‎08-16-2023

That doesn't really answer my question. For example, your search which runs every 10 minutes could be using a relative timeframe to look (back) at the last 5 minutes, or the last 10 minutes or from 15 minutes prior the the current time to 5 minutes prior to the current time. So if this report ran at 7:30 would you want the report to run with this time frame, or to exclude any events which were before 7:30? That is, do you want the time restriction to apply to the events being used by the search?

Alternatively, do you want the report to find no results if it is running before 7:30, no matter what the timeframe of the search is?

taslimsama21 · ‎08-16-2023

@ITWhisperer

basically this will be an alert which will trigger if result is 0 for my search.

and i want to trigger the alert only between 7:30 AM to 8:00PM and for Monday to Friday.

so if result of my search is 0 for last 10min then trigger alert. and check every 10 min from 7.30AM and check till 8PM.

ITWhisperer · ‎08-16-2023

Given that you want to trigger when there are no results, this makes it a little trickier because you would have to create a dummy event if the result count is zero outside of the required hours. Try something like this at the end of your alert search

| appendpipe
    [| stats count as _count
    | where _count=0
    | eval ooh=if(tonumber(strftime(time(),"%H%M")) < 730 OR tonumber(strftime(time(),"%H%M")) >= 2000, "Out of hours", null())]

gcusello · ‎08-16-2023

Hi @taslimsama21,

you could use your cron expression for your search and adding a condition to your search, to exclude results from 7.00 to 7.30.

Ciao.

Giuseppe

taslimsama21 · ‎08-16-2023

Hi @gcusello

not working with below query,

 sourcetype=foo
| eval date_hour=strftime(_time, "%H") | eval date_wday = strftime(_time, "%w")
| search date_hour>=9 date_hour<=18 date_wday>=1 date_wday<=5

gcusello · ‎08-16-2023

Hi @taslimsama21 ,

please try this:

 sourcetype=foo
| eval 
   date_hour=strftime(_time, "%H"),
   date_minute=strftime(_time, "%M"),
   date_wday = strftime(_time, "%w")
| search (date_hour>=7 date_minute>=30) date_hour<=18 date_wday>=1 date_wday<=5

Ciao.

Giuseppe

How to create a Splunk alert cron for monday to friday 7:30 to 8PM ?

alert action

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...