Now I want to schedule the alert search to run every 10 minutes. Therefore, I want to run it on cron schedule and chose
*/10 * * * *. Is that correct?
No, that will run it every 6 minutes: you’re dividing the hour (60 minutes) by 10, giving you a schedule of every 6 minutes
Secondyl I can chosse an expiration date and a Time Range in the Save as Alert-menu. By default it seems to be set to the last 24 hours (Time Range) and Expiration date as well to the last 24 hours. I am now wondering, if these settings do have an effect on the alert search.
That’s how long the results of the given search are saved before expiring them
The time period over which the search runs is set in the search itself. I usually explicitly set the period with earliest= thusly:
index=ndx sourcetype=srctp fieldA=* fieldb=* earliest=-10m
I also do not want the alert to expire after 24 hours but let the alert search run until it is stopped by me or someone else.
I think you misunderstand many Splunk terms. A search will run until it finishes. The results of a search are only kept for however-long the expiration time is set for that search (defaults include 10 minutes, 7 days, 24 hours, and 2x the run interval (eg for scheduled Reports)).
If you schedule an Alert, it will stay scheduled until you (or someone else with appropriate permissions) disable it – I’ve got Alerts that run every 30 minutes that have been in place for months. I’ve got others that used to run every hour, but are now disabled (but not deleted, because we need them around during some parts of the year).
from User warren – Stack Overflow https://stackoverflow.com/questions/65613101/splunk-schedule-alert-to-run-every-10-minutes/65614130#65614130
via IFTTT