Alerting

How to configure a cron schedule for an alert to run on the last business day of the month?

prakashbhanu407
New Member

I need to configure an alert to run on last business day of the month.
How to write the Cron expression for it?

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

I don't think the Splunk cron can provide you last business day. What you can do is to run your alert search to last 7 days of the month. Then within your search, add a logic so that if it's not the last business day of month, the search should not produce the result for alert.

For Example, you can use cron 5 4 25-31 * * to run the search “At 04:05 on the 25, 26, 27, 28, 29, 30 and 31st of every month.”. Then you can add following subsearch to your main search so that it would return 1=1 when it's last working day of the month, 1=2 otherwise

| gentimes start=-1 | eval lastDOM=relative_time(now(),"+1mon@mon-1d") | eval lastWDOM=case(strftime(lastDOM,"%a")="Sun", relative_time(lastDOM,"-2d@d"),strftime(lastDOM,"%a")="Sat", relative_time(lastDOM,"-1d@d"),1=1,lastDOM) | eval query=if(relative_time(now(),"@d")=lastWDOM,"1=1","1=2") | table query

e.g. an alert for checking error count in Splunk's internal logs would be like this

index=_internal sourcetype=splunkd log_level=ERROR  [ | gentimes start=-1 | eval lastDOM=relative_time(now(),"+1mon@mon-1d") | eval lastWDOM=case(strftime(lastDOM,"%a")="Sun", relative_time(lastDOM,"-2d@d"),strftime(lastDOM,"%a")="Sat", relative_time(lastDOM,"-1d@d"),1=1,lastDOM) | eval query=if(relative_time(now(),"@d")=lastWDOM,"1=1","1=2") | table query ] 

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I don't think the Splunk cron can provide you last business day. What you can do is to run your alert search to last 7 days of the month. Then within your search, add a logic so that if it's not the last business day of month, the search should not produce the result for alert.

For Example, you can use cron 5 4 25-31 * * to run the search “At 04:05 on the 25, 26, 27, 28, 29, 30 and 31st of every month.”. Then you can add following subsearch to your main search so that it would return 1=1 when it's last working day of the month, 1=2 otherwise

| gentimes start=-1 | eval lastDOM=relative_time(now(),"+1mon@mon-1d") | eval lastWDOM=case(strftime(lastDOM,"%a")="Sun", relative_time(lastDOM,"-2d@d"),strftime(lastDOM,"%a")="Sat", relative_time(lastDOM,"-1d@d"),1=1,lastDOM) | eval query=if(relative_time(now(),"@d")=lastWDOM,"1=1","1=2") | table query

e.g. an alert for checking error count in Splunk's internal logs would be like this

index=_internal sourcetype=splunkd log_level=ERROR  [ | gentimes start=-1 | eval lastDOM=relative_time(now(),"+1mon@mon-1d") | eval lastWDOM=case(strftime(lastDOM,"%a")="Sun", relative_time(lastDOM,"-2d@d"),strftime(lastDOM,"%a")="Sat", relative_time(lastDOM,"-1d@d"),1=1,lastDOM) | eval query=if(relative_time(now(),"@d")=lastWDOM,"1=1","1=2") | table query ] 
0 Karma

prakashbhanu407
New Member

when I try to use it with my search as below it is not taking the result of subsearch as a condition

index=MyIndex queryType="ts" filename=Pharmacy_*.JSON | table filename | stats count(filename) as JSONFiles [| gentimes start=-1 | eval lastDOM=relative_time(now(),"+1mon@mon-1d") | eval lastWDOM=case(strftime(lastDOM,"%a")="Sun", relative_time(lastDOM,"-2d@d"),strftime(lastDOM,"%a")="Sat", relative_time(lastDOM,"-1d@d"),1=1,lastDOM) | eval query=if(relative_time(now(),"@d")=lastWDOM,"1=1","1=2") | table query]

Result: I am getting error that (1=2) is invalid argument for Status
The main search is not taking the subsearch query result as a condition

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The subsearch should be added to base search portion (before first Pipe). Try this

index=MyIndex queryType="ts" filename=Pharmacy_*.JSON [| gentimes start=-1 | eval lastDOM=relative_time(now(),"+1mon@mon-1d") | eval lastWDOM=case(strftime(lastDOM,"%a")="Sun", relative_time(lastDOM,"-2d@d"),strftime(lastDOM,"%a")="Sat", relative_time(lastDOM,"-1d@d"),1=1,lastDOM) | eval query=if(relative_time(now(),"@d")=lastWDOM,"1=1","1=2") | table query] | table filename | stats count(filename) as JSONFiles 
0 Karma

prakashbhanu407
New Member

It is not working, is there a typo in my query, I have removed the " in the subsearchto make the output boolean.

I am getting the response even when the run day is not Last working day of the month, it is not taking the gentimes subsearch result as condition to process the search part after fist |.

index=MyIndex queryType="ts" filename=Pharmacy*.JSON [| gentimes start=-1 | eval lastDOM=relative_time(now(),"+1mon@mon-1d") | eval lastWDOM=case(strftime(lastDOM,"%a")="Sun", relative_time(lastDOM,"-2d@d"),strftime(lastDOM,"%a")="Sat", relative_time(lastDOM,"-1d@d"),1=1,lastDOM) | eval query=if(relative_time(now(),"@d")=lastWDOM,1=1,1=2) | table query] |  table _time,accountName,filename,filesize 
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Lets try this. If it doesn't work, just the subsearch separately and check what you get as index.

index=MyIndex queryType="ts" filename=Pharmacy*.JSON [| gentimes start=-1 | eval lastDOM=relative_time(now(),"+1mon@mon-1d") | eval lastWDOM=case(strftime(lastDOM,"%a")="Sun", relative_time(lastDOM,"-2d@d"),strftime(lastDOM,"%a")="Sat", relative_time(lastDOM,"-1d@d"),1=1,lastDOM) | eval index=if(relative_time(now(),"@d")=lastWDOM,"MyIndex","YouWillNotFindThisIndex") | table index] | table _time,accountName,filename,filesize
0 Karma

prakashbhanu407
New Member

I tried as below and I am getting a response

index=MyIndex queryType="ts" filename=Pharmacy_*.JSON | table filename | stats count(filename) as JSONFiles | appendcols [| gentimes start=-1 | eval lastDOM=relative_time(now(),"+1mon@mon-1d") | eval lastWDOM=case(strftime(lastDOM,"%a")="Sun", relative_time(lastDOM,"-2d@d"),strftime(lastDOM,"%a")="Sat", relative_time(lastDOM,"-1d@d"),1=1,lastDOM) | eval query=if(relative_time(now(),"@d")=lastWDOM,"1=1","1=2") | table query]| where query="1=2"|table JSONFiles
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...