I am not able to give cron exp for alert to run every 10 min, for Mon to Fri for time 7:30AM to 8:00PM,
can anyone please help for this cron exp?
i only know this - */10 7-20 * * 1-5
but dont know how give 7:30 min instead 7am in this case.
The cron expression you used will give you 0, 10, 20, 30, 40 and 50 past every hour between 7am and 8pm, Monday to Friday. That means 7:00 to 20:50. As @gcusello says, with this single expression, you will have to change your search to exclude times outside your desired times. Another alternative, is to have multiple reports with the same search but different schedules to cover the time periods you want e.g.
my requirement is -
alert to run every 10 min, for Mon to Fri for time 7:30AM to 8:00PM,
but because i dont know how to give minutes in this cron -/10 7-19 * * 1-5
that's why i will give run for 7am to 8pm and then exclude result for 7.00 to 7.30,
That doesn't really answer my question. For example, your search which runs every 10 minutes could be using a relative timeframe to look (back) at the last 5 minutes, or the last 10 minutes or from 15 minutes prior the the current time to 5 minutes prior to the current time. So if this report ran at 7:30 would you want the report to run with this time frame, or to exclude any events which were before 7:30? That is, do you want the time restriction to apply to the events being used by the search?
Alternatively, do you want the report to find no results if it is running before 7:30, no matter what the timeframe of the search is?
basically this will be an alert which will trigger if result is 0 for my search.
and i want to trigger the alert only between 7:30 AM to 8:00PM and for Monday to Friday.
so if result of my search is 0 for last 10min then trigger alert. and check every 10 min from 7.30AM and check till 8PM.
Given that you want to trigger when there are no results, this makes it a little trickier because you would have to create a dummy event if the result count is zero outside of the required hours. Try something like this at the end of your alert search
| appendpipe [| stats count as _count | where _count=0 | eval ooh=if(tonumber(strftime(time(),"%H%M")) < 730 OR tonumber(strftime(time(),"%H%M")) >= 2000, "Out of hours", null())]
Hi @taslimsama21 ,
please try this:
sourcetype=foo | eval date_hour=strftime(_time, "%H"), date_minute=strftime(_time, "%M"), date_wday = strftime(_time, "%w") | search (date_hour>=7 date_minute>=30) date_hour<=18 date_wday>=1 date_wday<=5