Alerting

Little confused about Cron schedule for alerts...

Log_wrangler
Builder

I want to schedule a search to run 1 time every hour and email when results > 0.

From the documentation every hour is * * * * * ?

Also I want to optimize the search, does it help to use earliest of - 2d?

Thank you

Tags (1)
0 Karma
1 Solution

tiagofbmm
Influencer

The earliest and latest you rub the search is deeply dependant on what alarm time ranges you are aiming for.

About the cron, once every hour is:

0 * * * *

View solution in original post

0 Karma

tiagofbmm
Influencer

The earliest and latest you rub the search is deeply dependant on what alarm time ranges you are aiming for.

About the cron, once every hour is:

0 * * * *
0 Karma

Log_wrangler
Builder

Thank you for confirming, otherwise all * * * * * would be every minute....

0 Karma

elliotproebstel
Champion

The answer from @tiagofbmm is totally correct, but I want to chime in and suggest that you consider ensuring your scheduled searches are not all scheduled to run at the same time. As you scale and grow, it's easy to run into situations where all your scheduled reports/alerts are trying to run at the same minute, so it's good to get into a habit of scheduling jobs to run on schedules that don't fall on the hour, half hour, etc. I find it useful to be in the practice of writing cron schedules like this:

7 * * * *

That will run the job every hour at 7 minutes past the hour. When I write new cron schedules, I just try to make that offset different every time and aim to avoid "roundish" numbers that are multiples of 5/15/30, since a lot of users will schedule their jobs to run "every 15 minutes", and I want my jobs to avoid colliding with those.

tiagofbmm
Influencer

@elliotproebstel you are correct I didn't want to pass the idea that to run hourly, it has to have a 0 in the first section. Thanks for adding useful info. Upvoted

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...