Solved: Splunk Alert needed for a specific time frame

johann2017 · ‎02-21-2017

Hello all, using Splunk Enterprise here. I want to create a Splunk Alert based off one of my searches/saved reports. I need it to run Mon-Sunday between 5pm - 7am the following day in 15 minute intervals. I want it to alert ONLY for events that occur between 5pm - 7am. I almost got it to work, however when the e-mail alert comes in it has a listing of ALL events that happened for the entire day, and I need it to give me events that only occurred in the 5pm-7am range. Here is the Cron Expression I am using: */15 0-7,16-23 * * * Any ideas?

richgalloway · ‎02-21-2017

Cron tells Splunk when to run the search, but it doesn't tell it what data to look at. That's where the Earliest and Latest settings come into play.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

nickhills · ‎02-21-2017

What about using:
<your search> (date_hour>=17 OR date_hour<7)

and then your cron just runs every 15 mins during your alert hours?

not tested, but feels like it should work 🙂

If my comment helps, please give it a thumbs up!

rodrigo_santos · ‎05-14-2019

(date_hour>=17 AND date_hour<7)

richgalloway · ‎02-21-2017

Cron tells Splunk when to run the search, but it doesn't tell it what data to look at. That's where the Earliest and Latest settings come into play.

---
If this reply helps you, Karma would be appreciated.

johann2017 · ‎02-21-2017

Hello Rich. Yea I am not really sure how the Earliest and Latest works, I see those options there but does not really make sense in my scenario.

richgalloway · ‎02-24-2017

Please accept an answer.

---
If this reply helps you, Karma would be appreciated.

somesoni2 · ‎02-21-2017

If you open your alert search from "Alerts" dashboard, what is the timerange picker values? OR if you open it from settings, what is the Start time and Finish time values?

richgalloway · ‎02-21-2017

Have you clicked the "Learn more" link under those options to see how they work?
The difficulty in your scenario is midnight. Setting Earliest=@d+17h will look for events after 5pm today (Mon), but when the search runs at 00:15 it will look for events after 5pm on Tuesday.
It's a tricky problem for which I don't have a solution at the moment.

---
If this reply helps you, Karma would be appreciated.

johann2017 · ‎02-21-2017

And when I use earliest/latest options do I use the Cron job along with it too or only one or the other?

richgalloway · ‎02-21-2017

You should use both,

---
If this reply helps you, Karma would be appreciated.

johann2017 · ‎02-23-2017

Thanks rich. I used both and I seem to have got it working.

johann2017 · ‎02-21-2017

Could I create two different alerts to solve this? One for 5pm through Midnight and a second alert for Midnight through 7am?

richgalloway · ‎02-21-2017

That's an option.

---
If this reply helps you, Karma would be appreciated.

JDukeSplunk · ‎02-21-2017

Well, if the search runs every 15 minutes, then somewhere in the first search line put

<yourbasesearch> earliest=-15m latest=now

johann2017 · ‎02-23-2017

Thanks JDuke!

Splunk Alert needed for a specific time frame

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!