Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alert suppression

ahuihou
New Member
‎08-28-2018 01:56 PM

What is the best way to run a search to be alerted/emailed between 4pm-6am M-F, weekend and holidays? Should the search include the times or be adjusted in the cron schedule or lookup table? What would the example look like? Thanks.

0 Karma
Reply

Shan
Builder
‎08-29-2018 09:45 PM

@ahuihou,

I think then you need to go for 4 different alert setup.
I don't think you can achieve all condition in same cron schedule.
Please try below option..

“At minute 0 past hour 16, 17, 18, 19, 20, 21, 22, 23, 0, 1, 2, 3, 4, 5, and 6 on Monday, Tuesday, Wednesday, Thursday, and Friday.” 

00 16,17,18,19,20,21,22,23,00,1,2,3,4,5,6 * * Mon,Tue,Wed,Thu,Fri

“At minute 0 past every hour on Saturday and Sunday.” 

00 */1 * * Sat,Sun

“At minute 0 past every hour on Monday.” 

00 */1 * * Mon

“At minute 0 past every hour on Thursday.” 

00 */1 * * Thu

Thanks ..

0 Karma
Reply

ahuihou
New Member
‎08-29-2018 08:39 AM

No alert during the daytime between 6am-4pm M-F. I want an alert during 4pm-6am + all weekend + all holidays. The holidays would be tricky. Would a lookup table or file be the best or a combination of cron + lookup? If so, how is this accomplished?

0 Karma
Reply

Shan
Builder
‎08-29-2018 05:27 AM

@ahuihou,

It's always best to go for cron schedule for your scenario.

Try below cron cmd to schedule for 4pm-6am runs at “At minute 0 past hour 16, 17, 18, 19, 20, 21, 22, 23, 0, 1, 2, 3, 4, 5, and 6.” of ever on everyday. Take cron from 00.

00 16,17,18,19,20,21,22,23,00,1,2,3,4,5,6 * * *
0 Karma
Reply

ahuihou
New Member
‎08-29-2018 09:20 AM

I want to get alerted M-F 4pm-6am + all weekend + all holidays. The tricky part would be the holidays. Would a lookup table + cron be the way to go? If so, how would I accomplish this?

0 Karma
Reply

pruthvikrishnap
Contributor
‎08-28-2018 02:32 PM

Hi,
You can do this by adjusting the cron schedule which looks something like this.
The cron syntax is:

  0 7-19 * * 1-5  (run hourly, 7am-7pm inclusive, Mon-Fri) 
  0 7-16 * * 6  (run hourly, 7am-4pm inclusive, Saturday)

Let me know if this helps.

0 Karma
Reply

ahuihou
New Member
‎08-29-2018 09:20 AM

I want to get alerted M-F 4pm-6am + all weekend + all holidays. The tricky part would be the holidays. Would a lookup table + cron be the way to go? If so, how would I accomplish this?

0 Karma
Reply

Shan
Builder
‎08-29-2018 10:31 AM

@ahuihou,

As per ur comment. I look like u need alert for all whole calendar year .. so u don't wanna specify any day ...

0 Karma
Reply

ahuihou
New Member
‎08-29-2018 01:35 PM

4pm-6am M-F
all day Saturday and Sunday 24hours
Holiday on Monday, all day Monday , Thanksgiving Thursday , all day Thursday. Does that make sense?

0 Karma
Reply

pruthvikrishnap
Contributor
‎08-29-2018 10:27 AM

then you can set an alert to trigger between 4pm-6am everyday.
https://crontab.guru/

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...