Hello all, using Splunk Enterprise here. I want to create a Splunk Alert based off one of my searches/saved reports. I need it to run Mon-Sunday between 5pm - 7am the following day in 15 minute intervals. I want it to alert ONLY for events that occur between 5pm - 7am. I almost got it to work, however when the e-mail alert comes in it has a listing of ALL events that happened for the entire day, and I need it to give me events that only occurred in the 5pm-7am range. Here is the Cron Expression I am using: */15 0-7,16-23 * * * Any ideas?
Cron tells Splunk when to run the search, but it doesn't tell it what data to look at. That's where the Earliest and Latest settings come into play.
What about using:
<your search> (date_hour>=17 OR date_hour<7)
and then your cron just runs every 15 mins during your alert hours?
not tested, but feels like it should work 🙂
(date_hour>=17 AND date_hour<7)
Cron tells Splunk when to run the search, but it doesn't tell it what data to look at. That's where the Earliest and Latest settings come into play.
Hello Rich. Yea I am not really sure how the Earliest and Latest works, I see those options there but does not really make sense in my scenario.
Please accept an answer.
If you open your alert search from "Alerts" dashboard, what is the timerange picker values? OR if you open it from settings, what is the Start time and Finish time values?
Have you clicked the "Learn more" link under those options to see how they work?
The difficulty in your scenario is midnight. Setting Earliest=@d+17h
will look for events after 5pm today (Mon), but when the search runs at 00:15 it will look for events after 5pm on Tuesday.
It's a tricky problem for which I don't have a solution at the moment.
And when I use earliest/latest options do I use the Cron job along with it too or only one or the other?
You should use both,
Thanks rich. I used both and I seem to have got it working.
Could I create two different alerts to solve this? One for 5pm through Midnight and a second alert for Midnight through 7am?
That's an option.
Well, if the search runs every 15 minutes, then somewhere in the first search line put
<yourbasesearch> earliest=-15m latest=now
Thanks JDuke!