- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- How to write a cron schedule for a single alert to...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to write a cron schedule for a single alert to run at 4:50 AM and 5:05 AM?
Hi All,
How to write a cron a expression that runs only at 4:50 AM and 5:05 AM on a day.
Note: I want to save it as a single alert, I want to run it from Monday through-Friday.
I tried something like below, but it will run @ 4:50 AM and 5:50 AM.
50 4-5 * * * 1-5
I want to run @ 4:50 AM and schedule it for the next 15th minute . Is this possible ? Please let me know.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try 50,0 4,5 * 1-5 .... ( I tried this and it worked 🙂 )
That is for windows , for Unix replace comma by right slash /
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Couldn't figure out direct method. But this may be a workaround.
Use this cron: 5-49/5 4-5 * * 1-5
This will make your alert search to run 4 time a day from Mon-Fri @ 4:05, 4:50, 5:05, 5:50.
Next step will be to include following filters in your alert search string, in the base search section to basically no action to be taken if its run during 4:05 and 5:50.
e.g. if your alert search is like this
index=_internal ERROR | stats count | where count>0
Alert condition: if no of events > 0
Modified search:
index=_internal ERROR [|gentimes start=-1 | eval hour=tonumber(strftime(now(),"%H")) | eval min=tonumber(strftime(now(),"%M")) | eval search=if((hour=4 AND min<50) OR (hour=5 AND min>5),"1=2","") | table search ]| stats count | where count>0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what is this 5-59/45
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It actually should be just 5-49/5 4-5 * * 1-5. It will run for hour 4 OR 5, every 5 min starting from 5th minute to 49th (minutes are represented as 0 to 59, I'm skipping execution on 0th/50th/55th minute). Then the subsearch will ensure to not to run anything unless hour is 4 and min is 50 OR hour is 5 and minute is 5
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
