Alerting

How to write a cron schedule for a single alert to run at 4:50 AM and 5:05 AM?

xbbj3nj
Path Finder

Hi All,

How to write a cron a expression that runs only at 4:50 AM and 5:05 AM on a day.

Note: I want to save it as a single alert, I want to run it from Monday through-Friday.

I tried something like below, but it will run @ 4:50 AM and 5:50 AM.
50 4-5 * * * 1-5

I want to run @ 4:50 AM and schedule it for the next 15th minute . Is this possible ? Please let me know.

Tags (3)
0 Karma

jyotipatil14
New Member

try 50,0 4,5 * 1-5 .... ( I tried this and it worked 🙂 )

That is for windows , for Unix replace comma by right slash /

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Couldn't figure out direct method. But this may be a workaround.
Use this cron: 5-49/5 4-5 * * 1-5

This will make your alert search to run 4 time a day from Mon-Fri @ 4:05, 4:50, 5:05, 5:50.
Next step will be to include following filters in your alert search string, in the base search section to basically no action to be taken if its run during 4:05 and 5:50.

e.g. if your alert search is like this

index=_internal ERROR | stats count | where count>0

Alert condition: if no of events > 0

Modified search:
index=_internal ERROR [|gentimes start=-1 | eval hour=tonumber(strftime(now(),"%H")) | eval min=tonumber(strftime(now(),"%M")) | eval search=if((hour=4 AND min<50) OR (hour=5 AND min>5),"1=2","") | table search ]| stats count | where count>0

0 Karma

saivineet
New Member

what is this 5-59/45

0 Karma

somesoni2
SplunkTrust
SplunkTrust

It actually should be just 5-49/5 4-5 * * 1-5. It will run for hour 4 OR 5, every 5 min starting from 5th minute to 49th (minutes are represented as 0 to 59, I'm skipping execution on 0th/50th/55th minute). Then the subsearch will ensure to not to run anything unless hour is 4 and min is 50 OR hour is 5 and minute is 5

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...