Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alert suppression

ahuihou
New Member
‎08-28-2018 01:56 PM

What is the best way to run a search to be alerted/emailed between 4pm-6am M-F, weekend and holidays? Should the search include the times or be adjusted in the cron schedule or lookup table? What would the example look like? Thanks.

0 Karma
Reply

Shan
Builder
‎08-29-2018 09:45 PM

@ahuihou,

I think then you need to go for 4 different alert setup.
I don't think you can achieve all condition in same cron schedule.
Please try below option..

“At minute 0 past hour 16, 17, 18, 19, 20, 21, 22, 23, 0, 1, 2, 3, 4, 5, and 6 on Monday, Tuesday, Wednesday, Thursday, and Friday.” 

00 16,17,18,19,20,21,22,23,00,1,2,3,4,5,6 * * Mon,Tue,Wed,Thu,Fri

“At minute 0 past every hour on Saturday and Sunday.” 

00 */1 * * Sat,Sun

“At minute 0 past every hour on Monday.” 

00 */1 * * Mon

“At minute 0 past every hour on Thursday.” 

00 */1 * * Thu

Thanks ..

0 Karma
Reply

ahuihou
New Member
‎08-29-2018 08:39 AM

No alert during the daytime between 6am-4pm M-F. I want an alert during 4pm-6am + all weekend + all holidays. The holidays would be tricky. Would a lookup table or file be the best or a combination of cron + lookup? If so, how is this accomplished?

0 Karma
Reply

Shan
Builder
‎08-29-2018 05:27 AM

@ahuihou,

It's always best to go for cron schedule for your scenario.

Try below cron cmd to schedule for 4pm-6am runs at “At minute 0 past hour 16, 17, 18, 19, 20, 21, 22, 23, 0, 1, 2, 3, 4, 5, and 6.” of ever on everyday. Take cron from 00.

00 16,17,18,19,20,21,22,23,00,1,2,3,4,5,6 * * *
0 Karma
Reply

ahuihou
New Member
‎08-29-2018 09:20 AM

I want to get alerted M-F 4pm-6am + all weekend + all holidays. The tricky part would be the holidays. Would a lookup table + cron be the way to go? If so, how would I accomplish this?

0 Karma
Reply

pruthvikrishnap
Contributor
‎08-28-2018 02:32 PM

Hi,
You can do this by adjusting the cron schedule which looks something like this.
The cron syntax is:

  0 7-19 * * 1-5  (run hourly, 7am-7pm inclusive, Mon-Fri) 
  0 7-16 * * 6  (run hourly, 7am-4pm inclusive, Saturday)

Let me know if this helps.

0 Karma
Reply

ahuihou
New Member
‎08-29-2018 09:20 AM

I want to get alerted M-F 4pm-6am + all weekend + all holidays. The tricky part would be the holidays. Would a lookup table + cron be the way to go? If so, how would I accomplish this?

0 Karma
Reply

Shan
Builder
‎08-29-2018 10:31 AM

@ahuihou,

As per ur comment. I look like u need alert for all whole calendar year .. so u don't wanna specify any day ...

0 Karma
Reply

ahuihou
New Member
‎08-29-2018 01:35 PM

4pm-6am M-F
all day Saturday and Sunday 24hours
Holiday on Monday, all day Monday , Thanksgiving Thursday , all day Thursday. Does that make sense?

0 Karma
Reply

pruthvikrishnap
Contributor
‎08-29-2018 10:27 AM

then you can set an alert to trigger between 4pm-6am everyday.
https://crontab.guru/

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...