Solved: Re: Trigger alert according to calendar

katalinali · ‎11-22-2010

Can splunk send me alert according to my one year calendar? Or if it can exclude a number of specific days?

Rob · ‎11-22-2010

You can set up the alerts using cron which will allow you to define when you want to run a saved search and send an alert with the results.

This can be done by selecting a saved search under 'Manager>>Searches and Reports'.

Cron syntax for once a year on January 1st would be (include the spaces between characters):

0 0 1 1 *

Where the first '0' is the minute of the hour (accepted values are 0-59)

-- The second '0" is the hour of the day (accepted values are 0-23)

-- The first '1' is the day of the month (accepted values are 1-31)

-- The second '1' is the month of the year (accepted values are 1-12)

-- The last '*' is for the day of the week (accepted values are 0-6 where 0 = Sunday, 1 = Monday, etc. The * characters represents all legal values for the column.)

Cron works in an inclusive manner. Which means that to exclude dates and times you would want to include all the dates and times when you would want cron to run the alert. This can be done by including a comma between values. Here is an example cron line for Monday, Wednesday, and Friday.

* * * * 1,3,5

If your exclusion rule is more specific, you may want to clone the search/alert and include another cron job to run. For example, if you wish to not run alerts for the 24th and 25th of December but would like it every other work day then the two cron lines that you will want for the same cloned search would be: (all entries below would be run at midnight)

* * * 1-11 1-5

* * 1-23,26-31 12 1-5

View solution in original post

Rob · ‎11-22-2010