Alerting

Can you help me with the cron scheduling of my alert?

damucka
Builder

Hello,

I need help with the cron scheduling of my alert. It is:

0,30 * * * *

From which I would expect my alert to be triggered always at 0 and 30-th min of an hour.

Below are my triggering times (I test it the way that there is always a result returned, so the alert should always be triggered):

6:40
7:15
7:39
8:19
8:39
9:19
9:39
10:19
11:20
11:40

Any hint why this is and how would I reach my goal?

The alert search itself takes only couple of second and does not justify this kind of delays.

Kind regards,
Kamil

0 Karma
1 Solution

dkeck
Influencer

There shouldn´t be a

,

in your chron

To test chron this site is good : https://crontab.guru/#0_12_*_*_5

View solution in original post

0 Karma

dkeck
Influencer

There shouldn´t be a

,

in your chron

To test chron this site is good : https://crontab.guru/#0_12_*_*_5

0 Karma

damucka
Builder

Hello dkeck,

Could you please paste the cron notation in that case?
The following combination:

0 30 * * * *

Is not accepted by Splunk. Only the:

030 * * * *

But I guess it does not do what I want.

Kind Regards,
Kamil

0 Karma

dkeck
Influencer

This is for every 30 min

*/30 * * * *
0 Karma

damucka
Builder

Hello,

Yes, but I would like precisely at the minute 0 and 30.
How would it be then?

Kind Regards,
Kamil

0 Karma

dkeck
Influencer

Ah ok so I mixed that up, your initial thought was correct than 0,30 * * * *

0 Karma

damucka
Builder

Yes, so if my initial thought was correct, the question would be why do I get the triggering times as I get:

 6:40
 7:15
 7:39
 8:19
 8:39
 9:19
 9:39
 10:19
 11:20
 11:40
0 Karma

dkeck
Influencer

hm, I tested it its working.

How do you set up the alert?

0 Karma

damucka
Builder

"Run on Schedule" --> "Cron expression" --> 0,30 * * * *

Each time I scan the time range of 7 days in the past with my search just to find something and trigger the alert. But as mentioned, the search itself is quite fast and should not lead to this kind of delays.

0 Karma

dkeck
Influencer

please check the sheduler log. There should be logs stating when the search run and how long it took, maybe its taking to long. index=_internal sourcetype=scheduler savedsearch_name=

damucka
Builder

Thank you.
I used the following search:

index=_internal sourcetype=scheduler savedsearch_name=BWP* savedsearch_name="BWP Parameter Changes" | convert ctime(scheduled_time) as SCHEDULE | convert ctime(dispatch_time) as DISPATCH | table _time SCHEDULE DISPATCH run_time

and there is a significant delay / difference between scheduled_time and dispatch_time. So i guess the scheduling works fine, but there is some issue with dispatching. What would be the common reasons

for that? Resource exhaustion?
I scheduled it now a bit different:
17,47 * * * *
to see if I get better results, assuming that many other searches get kicked off on the 0 and 30-th minute of an hour.

dkeck
Influencer

Could be that more than this search is scheduled for this time, since many users/apps schedule their search around this time.

Nice that we got to the botton of this 🙂

Please accept the answer 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...