Alerting

Splunk CRON Implementation incorrect in SEARCH-ALERTS

SplunkShawnCt
Explorer

Searches, reports, and alerts allows me to enter a CRON schedule with Dual ranges. For instance in the hour field if I do not want to run at 3:00 AM I can use this schedule to run every 15 minutes.

*/15 0-2,4-23 * * *

This is allowed under standard CRON. If instead of editing the CRON schedule in Searches, reports, and alerts I instead try to edit it the REPORTS or ALERTS section of the Splunk App I get an Invalid CRON error. I would attach a picture but it says I need more points.

Tags (2)
0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Hi @SplunkShawnCt,
I've reported this issue as a bug and asked our search and reporting UI folks to investigate. It seems there is a validation issue in the UI, according to one of our cron expression engineers. Thanks for bringing it to our attention! I'll report back with any other updates.
best,
frobinson

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

I've asked our engineering team and it is a known bug with 6.1.2. It has been fixed as of 6.1.3. @SplunkShawnCt, if you can upgrade to 6.1.3 or beyond you should be good to go. Let me know if you have further questions on this issue.

Thanks!
frobinson

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Hi @SplunkShawnCt,
I am a tech writer here at Splunk and I've been troubleshooting what sounds like a similar issue with a different app. I'll check with our engineering team to see if it's related.

The other post I've been working on is:
http://answers.splunk.com/answers/120603/cron-expression-in-splunk.html

I'll report back with any info I find.
Thanks,
frobinson

0 Karma

somesoni2
SplunkTrust
SplunkTrust

What version of Splunk you're using? Tested the same on 6.2.1 and your cron worked fine "*/15 0-2,4-23 * * *"

  1. From Settings->Searches, reports and alerts
  2. Go to App -> Searches Navigation Menu-> Edit ->Schedule
  3. Go to App -> Alerts Navigation Menu -> Edit ->Schedule
0 Karma

SplunkShawnCt
Explorer

Version 6.1.2

Editing the Schedule from Settings -> Searches, reports and alerts works fine for me.

The problem only occurs in the Search & Reporting app when using either the Alerts or Reports tab.

0 Karma

ppablo
Retired

Hi @SplunkShawnCt

Would you be able to provide a link to the image hosted on another site? A lot of other users do that instead of uploading it directly on here. Also, are you referring to the Search and Reporting App when you say "Splunk App"?

0 Karma

SplunkShawnCt
Explorer
0 Karma

SplunkShawnCt
Explorer

Under Settings if you go to Knowledge -> Searches, reports, and alerts

And select a search there you can enter a CRON schedule that contains two ranges. If you go to the Search App and Click Alerts or Reports and try to edit a CRON Schedule there you will get the error I am talking about. Under dashboards in the search app you can again schedule things on a CRON schedule and have double ranges is valid.

By double ranges I mean two ranges seperated by a comma, (Like in the above picture for the hour field)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...