The Problem with the 1-59/5 * * * * answer is that once you get to the 20th alert and you have the alert set to look at something like 5-10 min in the past for an event, you will miss alerts. For example, if you set the alert to kick off at 20 past the hour, i.e. 20-59/5 * * * * , it will run at 20, 25, 30, ..., 55 looking back at 5-10 min in the past, i.e. at 55 it will look back at 45-50 past the hour. However, the next time it will run after 55 in hour one, is 20 after hour 2. So, you'd miss a total of 20 minutes of events that occurred from 50 minutes past hour 1 to 10 minutes past hour 2. The preferred way that I'd found to do a cron syntax that does 5 minutes starting at 20 past the hour originally but then continuing every 5 minutes to eternity is */5+20 * * * * . However, it appears that splunk does not support the +x syntax. So, the next "best" option I have found is by doing this:
alert1=0,5,10,15,20,25,30,35,40,45,50,55 * * * *
alert2=1,6,11,16,21,26,31,36,41,46,51,56 * * * *
alert3=2,7,12,17,22,27,32,37,42,47,52,57 * * * *
alert4=3,8,13,18,23,28,33,38,43,48,53,58 * * * *
alert5=4,9,14,19,24,29,34,39,44,49,54,59 * * * *
And you'd start back over at 0, 5, 10, etc. after alert 10. It's a bit messy, but given Splunk's apparent cron syntax limitation, it appears to be the only thing that will do the trick. Any suggestions to how to clean up this cron syntax given Splunk's limitations? Any comments appreciated.
... View more