Security

Cron Expression in Splunk

jimjohn
Path Finder

Hi

I want a cron expression to run in everny 4 minutes .When i give */5 * * * * i am getting
com.splunk.config.SplunkConfigurationException: Invalid interval value=*/5 * * * * for stanza ***
Please suggest the reason .

anand_singh17
Path Finder

*/5 * * * *

will make it work. Its correct, but space is required to give.

0 Karma

lweber
Path Finder

it is also a bug in splunk... if you add a scripted input in Splunk Web ("Add Data" -> "Monitor" -> "Script") and enter a cron expression in the interval field (eg. */5 * * * *) you'll get a "Enter a number for the Interval field." alert message.

What works is: enter any numeric value in the interval field, save your configuration. Go back to your inputs and modify the scripted input you just created, now you can set any valid cron expression you like.

edit:
this is in Version 6.2.3

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Hello, @lweber. Thank you for bringing this to our attention. I will check in with our engineering team and get back to you! Please feel free to post any further comments or questions here.
Thanks!!

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Hi @lweber. I've reported this problem as a bug for Splunk Web and our engineers are currently looking into it. Please stick with your workaround for the moment and I'll report back with any updates when I receive them.
Thank you!

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Hi again, @lweber. Just another update: our engineering team has a fix for this slated for our next release. They are currently working on an update to 6.2.3 that will also address this issue. I'll let you know when it's ready.
Thanks!

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Cron notation parsing errors are noted as a bug with DBX 1.x. I've filed a bug with the DB Connect/DBX engineering team to address this and will report back with further updates! Please feel free to comment with more details or related questions.

Thank you!

0 Karma

bohrasaurabh
Communicator

This is specific to DBX and we have noticed the same issue on DBX release 1.15 also.

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

@bohrasaurabh: thank you! This is noted and I'll file I bug with our engineering team for DBX.

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

editing to tag @bohrasaurabh: can you please provide locale setting info? Thank you!

0 Karma

bohrasaurabh
Communicator

LANG=en_US.UTF-8
LC_CTYPE="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_PAPER="en_US.UTF-8"
LC_NAME="en_US.UTF-8"
LC_ADDRESS="en_US.UTF-8"
LC_TELEPHONE="en_US.UTF-8"
LC_MEASUREMENT="en_US.UTF-8"
LC_IDENTIFICATION="en_US.UTF-8"
LC_ALL=

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

@bohrasaurabh: thanks so much! Will update you after sending this along to our engineers.

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

@tweaktubbie: could you also provide any locale setting info you have? Thanks!

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

@jimjohn and @pacrip:

Just posting this as an answer, as it's the most current and correct status we have for this issue: we've determined that this is a bug on the DB Connect 1/DBX version 1.17. I've assigned this to our apps team to take it from here. I will post back here with any further updates! Thanks for your input!

All best,
frobinson

tweaktubbie
Communicator

Our machine with DB Connect 1.1.4 has a weird issue: using the cron * * * * 2,5 makes the query run on Mon+Thu - is there some server setting making Sundays the first day of the week? On the search head * * * * 2,5 does run on Tue+Fri??? Stating * * * * TUE,FRI however does the trick, but it remains vague?

frobinson_splun
Splunk Employee
Splunk Employee

Hi again, @tweaktubbie. I confirmed with our cron scheduler expert that 2,5 should be "Tuesday" and "Friday", per standard cron notation. 0 should be Sunday, running through 6 as Saturday http://en.wikipedia.org/wiki/Cron#crontab_syntax

What you're seeing in DB Connect sounds like a bug, so I will file a bug to get this issue fixed. Please stay tuned for updates and let me know if you have further questions.

Thank you!
Fiona

tweaktubbie
Communicator

LANG=en_US.UTF-8 is the only locale I could retrieve via the set command on the prompt. or you should've some query/configfile to check?

Did some more checks; on all splunk servers including those where dbV1 1.1.7 is installed, scheduled searches/alerts function correctly, with * * * * 1 running on Mondays that is. However, all DB Connect applications with data inputs using * * * * 1 run on Sundays. So the issue is isolated within DB Connect.

Created a fresh input with * * * * 2 (and changing it to 3) gave the following entry in _internal:
dbx6725:INFO:ExecutionSchedule - Cancelling execution schedule input=[dbmon-dump://(name)/crontest] nextExecution=Mon Jun 08 10:10:00 CEST 2015 state=WAITING

frobinson_splun
Splunk Employee
Splunk Employee

@tweaktubbie: thank you for this info! Passing it along to the engineering team.

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

@tweaktubbie and @bohrasaurabh: Our DB Connect engineers are looking into fixing this bug. For now, they suggest making an adjustment to your cron expression to get the results you want, either changing the numeric value to get the expression to register as you wish or using the text input workaround (typing in "TUE, FRI") that @tweaktubbie mentioned.

Thank you and I'll write with any further updates!

frobinson_splun
Splunk Employee
Splunk Employee

Hi @tweaktubbie, thanks for your question. Let me look into this and see if I can track down an answer. Will report back!

0 Karma

jrodman
Splunk Employee
Splunk Employee

Is this specific to dbx inputs? How are you attempting to apply this setting?
If it's via file editing, can you provide the full stanza?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...