Alerting

What's the difference between cron schedule and auto_summarize.cron_schedule?

hrithiktej
Communicator

Please help

I find just 5 stars in cron schedule * * * * * & auto_summarize.cron_schedule is */10 * * * * what is the difference between these two.

I am trying to find the schedule of the alerts that are setup by other users. In Searches, reports, and alerts > advanced edit for one of the search I find just 5 stars in cron schedule * * * * * & auto_summarize.cron_schedule is */10 * * * * what is the difference between these two.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

The format of cron schedule in Splunk is (minute) (hour) (day of month) (month) (day of week). So * * * * * is every minute. The auto_summarize cron_schedule is effective when you've setup Report Acceleration on your search (attribute name auto_summarize =true). If you're accelerating your scheduled search, you can ignore auto_summarize.cron_schedule value.

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

The format of cron schedule in Splunk is (minute) (hour) (day of month) (month) (day of week). So * * * * * is every minute. The auto_summarize cron_schedule is effective when you've setup Report Acceleration on your search (attribute name auto_summarize =true). If you're accelerating your scheduled search, you can ignore auto_summarize.cron_schedule value.

hrithiktej
Communicator

Thank you very much for your help

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

This applies only to the first field: */10 means every ten minutes. */2 means every other minute. */30 means every 30 minutes.

In some cron configurations you can do something like 3/5 and it means start at minute 3 past the hour and run every 5minutes after that.

0 Karma

hrithiktej
Communicator

Thanks for the quick help. I do not understand

1) What do the 5 stars in cron schedule * * * * * mean?

and the auto_summarize.cron_schedule is */10 * * * * does this mean the search is scheduled to run every 10mins?

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Crontab Format. Commands are executed by cron when the minute, hour, and month of year fields match the current time, and when at least one of the two day fields (day of month, or day of week) match the current time. A field may be an asterisk ( * ), which always stands for "first-last". Ranges of numbers are allowed.

First field = Minutes
Second field = Hours
Third field = Day of the month
Fourth field = Month
Fifth field = Day of the week

An asterisk basically matches every possible match, so for minutes and asterisk means any minute from 0-59. If you have * * * * *, that means every minute of every hour of every day of every month of the year, no matter what day of the week. to put the minutes field at */10 means every 10 minutes of every hour of every day of every month of the year, no matter what day of the week.

0 Karma

hrithiktej
Communicator

Thanks for the reply I have 5 asterixs * * * * * in the Cron schedule box. Should I ignore the other box which has */10 in the auto_summarize.cron_schedule ?

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

I would say, yes, ignore it. It is just going to run every 10 minutes instead of every minute. If you need it to run more often, then you can make the 10 be a smaller number or eliminate the /10 altogether.

0 Karma

hrithiktej
Communicator

Thanks for your help

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...