Alerting

Will the time range work on specific cron expression when firing alerts once every fifteen minutes?

mkrishnamoorthy
Explorer

Hey all,

I wanted to fire alerts once in every 15 mins, in between 6am to 8pm everyday. I have written a cron expression as

  • /15 06-20 * * *

.
I selected time-range as last 15 minutes,.

So my question is, What does time-range do here? Will the time range works on specific cron expression?

If am wrong, could you please help me out to fire alerts on specific cron time?

0 Karma
1 Solution

jnudell_2
Builder

Hi mkrishnamoorthy,
Your cron schedule looks almost right (I'm sure it's the HTML dropping the * character.)
*/15 06-20 * * * will run the search starting from 6AM through 8PM every day of the year.

In the schedule, when you select time range, that's the range of time that Splunk searches from. So if you set it to last 15 minutes, at 6AM Splunk will run the search looking at 5:45AM - 6:00AM for the requested data.

The other way to approach this would be to create an alert that only fires if there are results, and then craft your search to check the time and only present results if the time falls within your scope of 6AM - 8PM.

View solution in original post

jnudell_2
Builder

Hi mkrishnamoorthy,
Your cron schedule looks almost right (I'm sure it's the HTML dropping the * character.)
*/15 06-20 * * * will run the search starting from 6AM through 8PM every day of the year.

In the schedule, when you select time range, that's the range of time that Splunk searches from. So if you set it to last 15 minutes, at 6AM Splunk will run the search looking at 5:45AM - 6:00AM for the requested data.

The other way to approach this would be to create an alert that only fires if there are results, and then craft your search to check the time and only present results if the time falls within your scope of 6AM - 8PM.

richgalloway
SplunkTrust
SplunkTrust

The time range specifies how far back the query will look for events. A time range of 15 minutes is not the same as running every 15 minutes, although each setting should be considerate of the other.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...