Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cron Expression to run at every 15th minute daily except on Sunday from 1am to 6.00PM

loureni1
Explorer
‎04-04-2018 11:29 AM

Can you help me with a Cron job to run daily at every 15th minute on every day except Sunday 1.00AM to 6.00AM . On Sunday 1 to 6am system maintenance and don't want to receive any alerts during this time.

0 Karma
Reply

elliotproebstel
Champion
‎04-04-2018 11:54 AM

Personally, I'd schedule the alert to run every 15 minutes of every day and then create a macro called ignore_maintenance_window. The macro code would look like this:

eval is_sunday=if(tonumber(strftime(now(), "%w"))=0, 1, 0), is_blocked_time=if(tonumber(strftime(now(), "%H"))>=1 AND tonumber(strftime(now(), "%H"))<=6, 1, 0) 
| search is_sunday=0 OR is_blocked_time=0
| fields - is_sunday is_blocked_time

This macro will apply to every event two fields is_sunday and is_blocked_time, and the value will be the same for every event, because it's looking at the current time, not the time of the event. It will then filter out all events that are marked as is_sunday=1 and is_blocked_time=1, so assuming your alert will only generate notification if event count is greater than 0, then this will prevent the alert from firing during the maintenance window. You'd apply it like this:

your base search
| `ignore_maintenance_window`
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...