Splunk: Schedule alert to run every 10 minutes

Question

I want to set an alert which runs every 10 minutes and is triggered when a certain ratio is either bigger than 2.5 or smaller than 0.5.

"certainEvent" source="abc.log" 
| timechart partial=f span=5m count as numbers 
| fillnull 
| streamstats current=f last(numbers) as last_numbers 
| eval ratio = numbers/last_numbers 
| where ratio>2.5 OR ratio < 0.5

Now I want to schedule the alert search to run every 10 minutes. Therefore, I want to run it on cron schedule and chose */10 * * * *. Is that correct?

Secondly, I can choose an expiration date and a Time Range in the Save as Alert-menu. By default it seems to be set to the last 24 hours (Time Range) and Expiration date as well to the last 24 hours. I am now wondering if these settings do have an effect on the alert search. I do not want my alert search to find every event which fulfills the condition in the query I set upon every time in this time range but only once (and then get informed by mail). I also do not want the alert to expire after 24 hours but let the alert search run until it is stopped by me or someone else. So, I am wondering if I should or have to modify these two parameters in order to get the required functionality?

Answer 1

Now I want to schedule the alert search to run every 10 minutes. Therefore, I want to run it on cron schedule and chose */10 * * * *. Is that correct?

Yes, that will run it every 10 minutes

Secondly, I can choose an expiration date and a Time Range in the Save as Alert-menu. By default it seems to be set to the last 24 hours (Time Range) and Expiration date as well to the last 24 hours. I am now wondering if these settings do have an effect on the alert search.

That's how long the results of the given search are saved before expiring them

The time period over which the search runs is set in the search itself. I usually explicitly set the period with earliest= thusly:

index=ndx sourcetype=srctp fieldA=* fieldb=* earliest=-10m

I also do not want the alert to expire after 24 hours but let the alert search run until it is stopped by me or someone else.

I think you misunderstand many Splunk terms. A search will run until it finishes. The results of a search are only kept for however-long the expiration time is set for that search (defaults include 10 minutes, 7 days, 24 hours, and 2x the run interval (eg for scheduled Reports)).

If you schedule an Alert, it will stay scheduled until you (or someone else with appropriate permissions) disable it - I've got Alerts that run every 30 minutes that have been in place for months. I've got others that used to run every hour, but are now disabled (but not deleted, because we need them around during some parts of the year).