Refine your search:

I need to monitor for unscheduled downtime while avoiding scheduled downtime that happens at unequal hour boundary.

Detecting downtime is easy (look for no heartbeat events in last 60s). Setting crontab to start running the searches on equal hour boundary (say, 01:00) is easy. However, it seems to be impossible to set crontab to start at unequal hour boundary (say, 00:40).

Is there another way to implement such search?

asked 12 Jul '11, 16:24

JoeTF2's gravatar image

JoeTF2
12
accept rate: 0%


3 Answers:

I'm not sure I understand you question, but a crontab entry of:

40 * * * *

will run every hour at 40 minutes past the hour, but I don't know what you mean when you say you want to run every minute, but also only at 40 minutes pas an hour.

link

answered 12 Jul '11, 21:33

gkanapathy's gravatar image

gkanapathy ♦
36.8k81228
accept rate: 41%

I need it to run every minute, starting from 00:40: 00:40, 00:41, 00:42, ... 02:20

but NOT on 00:19, 02:21, 02:42.

(13 Jul '11, 04:35) JoeTF2

I don't think you can do this only using cron. I assume you are using this for an alert so, the way I would approach it is to run every minute between midnight and 3am.

Cron * 0-3 * * *

Then use the custom condition and where command to limit the time. Assuming you were looking for zero events...

where count=0 AND date_hour*100+date_minute>39 AND date_hour*100+date_minute<221

so my savedsearch looks like this

[downtime] search = heartbeat | stats count by host enableSched = 1 cron_schedule = * 0-3 * * * dispatch.earliest_time = -1m@m dispatch.latest_time = @m alert.track = 1 alert_condition = where count=0 AND date_hour*100+date_minute>39 AND date_hour*100+date_minute<221 counttype = custom action.email = 1 action.email.inline = 1 action.email.sendresults = 1 action.email.to = me@mycompany.com alert.severity = 4 alert.suppress = 1 alert.suppress.period = 5m displayview = flashtimeline request.ui_dispatch_view = flashtimeline vsid = gq1ya7b9

[edit ref comment]

Oops! Sorry not thinking straight there. Adding the following to your search will do what you want

| where date_hour*100+date_minute>39 AND date_hour*100+date_minute<221
link

answered 13 Jul '11, 00:21

BobM's gravatar image

BobM
2.7k4614
accept rate: 32%

edited 01 Aug '11, 01:39

Thank you for your reply. However, I cannot get alert condition to trigger.

How can it match date_hour and date_minute fields, if there are no events to match?

(13 Jul '11, 04:31) JoeTF2

This is the very, very low tech way of handling this - and it does not scale well - but you could always have multiple copies of the same scheduled search/alert.

It looks like it would take three cron entries:

cron_schedule=40-59 00 * * *
cron_schedule=* 1-2 * * *
cron_schedule=00-20 02 * * *

Note I'm assuming that Splunk's crontab is as flexible as Vixie cron - which it should be.

link

answered 13 Jul '11, 19:06

dwaddle's gravatar image

dwaddle ♦
17.9k2934
accept rate: 33%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×2,412
×90
×5
×1

Asked: 12 Jul '11, 16:24

Seen: 1,519 times

Last updated: 01 Aug '11, 01:39

Copyright © 2005-2014 Splunk Inc. All rights reserved.