Solved: What cron expression is supported for the PowerShe...

martinho · ‎10-26-2016

When using Splunk Web to configure a new Powershell v3 Modular Input the hint for the Cron Schedule the hint text states A cron string specifying the schedule for execution: seconds minutes hours days-of-month month days-of-week years but this does not seem to be a valid Cron expression. What syntax is supported by Splunk for this feature. I am using Splunk 6.3.1.

I'm asking this question so I can document the answer that I have found for easy future reference.

martinho · ‎10-27-2016

From trial and error, it seems that the cron expression supported here is the same as for scheduled alerts:
http://docs.splunk.com/Documentation/Splunk/latest/Alert/Definescheduledalerts#Schedule_the_alert

and that is the 5 field version corresponding to correspond to minute hour day-of-month month day-of-week. See the Wikipedia entry for Cron for details:
https://en.wikipedia.org/wiki/Cron#CRON_expression

I suspect the incorrect hint text comes from the fact that there is also a Splunk Add-on for Microsoft PowerShell (https://splunkbase.splunk.com/app/1477/) that was implemented using Quartz.net (http://www.quartz-scheduler.net/) which has a different cron expression syntax for cron triggers (http://www.quartz-scheduler.net/documentation/quartz-2.x/tutorial/crontriggers.html ).

It seems that the built-in PowerShell v3 Modular Input that comes with Splunk 6.3+ shares the same implementation as as other parts of the Splunk platform. The documentation for the PowerShell Modular Input: http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/MonitorWindowsdatawithPowerShellscripts uses the correct format for the examples although is still incorrectly includes a link to the Quartz.net implementation.

It makes sense that Splunk would not want you to be triggering these scripts with a more granular time scale than minutes so the lack of seconds support seems to fit.

View solution in original post

martinho · ‎10-27-2016

From trial and error, it seems that the cron expression supported here is the same as for scheduled alerts:
http://docs.splunk.com/Documentation/Splunk/latest/Alert/Definescheduledalerts#Schedule_the_alert

and that is the 5 field version corresponding to correspond to minute hour day-of-month month day-of-week. See the Wikipedia entry for Cron for details:
https://en.wikipedia.org/wiki/Cron#CRON_expression

I suspect the incorrect hint text comes from the fact that there is also a Splunk Add-on for Microsoft PowerShell (https://splunkbase.splunk.com/app/1477/) that was implemented using Quartz.net (http://www.quartz-scheduler.net/) which has a different cron expression syntax for cron triggers (http://www.quartz-scheduler.net/documentation/quartz-2.x/tutorial/crontriggers.html ).

It seems that the built-in PowerShell v3 Modular Input that comes with Splunk 6.3+ shares the same implementation as as other parts of the Splunk platform. The documentation for the PowerShell Modular Input: http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/MonitorWindowsdatawithPowerShellscripts uses the correct format for the examples although is still incorrectly includes a link to the Quartz.net implementation.

It makes sense that Splunk would not want you to be triggering these scripts with a more granular time scale than minutes so the lack of seconds support seems to fit.

cmerriman · ‎10-27-2016

Quartz Scheduler Format, not Unix Standard. The doc has examples.

http://www.quartz-scheduler.org/documentation/quartz-2.x/tutorials/crontrigger.html
http://docs.splunk.com/Documentation/AddOns/released/MSPowerShell/Configuration

What cron expression is supported for the PowerShell Modular Input schedule

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2