Cron schedule for saved search on last day of mont...

leeraym · ‎06-03-2010

Is it possible to schedule a saved search to run on the last day of the month? In UNIX, you can accomplish this by doing something like:

59 23 * * * [[ $(date +'%d') -eq $(cal | awk '!/^$/{ print $NF }' | tail -1) ]] && job.sh

I don't think I can do this in the Splunk interface though. I noticed under Basic scheduling, there's an option to run every "week (every Saturday at midnight)". It would be great to have another option to run every "month (last day of month at midnight)". Feature request?

Lowell · ‎06-04-2010

I highly doubt that such syntax is supported here; or even across various UNIX cron implementations; I could be wrong.

Have you considered simply run the report on the first day of every month and running your search for the range of the previous month?

cron_schedule = 5 1 1 * *
dispatch.earliest_time = -1mon@mon
dispatch.latest_time = @mon

This example would run on the first of every month at 1:05 AM and searches over the last full month. Would this work for what you are trying to do?

Doc references:

Specify relative time ranges in your search

mrzmsmglsnk · ‎03-06-2013

Thnx from me 2!

leeraym · ‎06-09-2010

Thanks! That should work nicely.

leeraym · ‎06-04-2010

I guess there is a not-so-elegant solution to this. Create 3 of the same saved searches and schedule them like this: cron1 at "59 23 31 1,3,5,7,8,10,12 *" to handle the months with 31 days; cron2 at "59 23 30 4,6,9,11 *" to handle the months with 30 days ; cron3 at "59 23 28,29 2 *" to handle February. But a more elegant, single savedsearch solution would be appreciated.

Cron schedule for saved search on last day of month

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!