Cron Expression to run at every 15th minute daily ...

loureni1 · ‎04-04-2018

Can you help me with a Cron job to run daily at every 15th minute on every day except Sunday 1.00AM to 6.00AM . On Sunday 1 to 6am system maintenance and don't want to receive any alerts during this time.

elliotproebstel · ‎04-04-2018

Personally, I'd schedule the alert to run every 15 minutes of every day and then create a macro called ignore_maintenance_window. The macro code would look like this:

eval is_sunday=if(tonumber(strftime(now(), "%w"))=0, 1, 0), is_blocked_time=if(tonumber(strftime(now(), "%H"))>=1 AND tonumber(strftime(now(), "%H"))<=6, 1, 0) 
| search is_sunday=0 OR is_blocked_time=0
| fields - is_sunday is_blocked_time

This macro will apply to every event two fields is_sunday and is_blocked_time, and the value will be the same for every event, because it's looking at the current time, not the time of the event. It will then filter out all events that are marked as is_sunday=1 and is_blocked_time=1, so assuming your alert will only generate notification if event count is greater than 0, then this will prevent the alert from firing during the maintenance window. You'd apply it like this:

your base search
| `ignore_maintenance_window`

Cron Expression to run at every 15th minute daily except on Sunday from 1am to 6.00PM

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...