I want to create real time alerts from search which is fired when a condition is met but only between a specific time duration. ex: 9AM to 5PM every weekday exluding weekends. How can I do that?
I found an answer on below link, wondering how can I restric this search to run only during weekdays
http://splunk-base.splunk.com/answers/2219/search-command-for-work-time
If you want to restrict the schedule of the search to only business days, then use the cron job notation for the search schedule :
example from 9am to 5pm Monday to Friday
* 9-17 * * 1-5
# Minute Hour Day of Month Month Day of Week Command
# (0-59) (0-23) (1-31) (1-12 or Jan-Dec) (0-6 or Sun-Sat)
If your goal is to search over a specific time range, then you need to use the search time range. and play with the date_* fields in the search conditions
see http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/SearchTimeModifiers
and http://docs.splunk.com/Documentation/Splunk/4.3.3/User/UseDefaultAndInternalFields
by example to run a search over yesterday, looking only at events between 9am to 5pm :
earliest=-1d@d latest=@d date_hour>9 date_hour<17
If you want to restrict the schedule of the search to only business days, then use the cron job notation for the search schedule :
example from 9am to 5pm Monday to Friday
* 9-17 * * 1-5
# Minute Hour Day of Month Month Day of Week Command
# (0-59) (0-23) (1-31) (1-12 or Jan-Dec) (0-6 or Sun-Sat)
If your goal is to search over a specific time range, then you need to use the search time range. and play with the date_* fields in the search conditions
see http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/SearchTimeModifiers
and http://docs.splunk.com/Documentation/Splunk/4.3.3/User/UseDefaultAndInternalFields
by example to run a search over yesterday, looking only at events between 9am to 5pm :
earliest=-1d@d latest=@d date_hour>9 date_hour<17