Alerting

Splunk Alert With Cron Triggering when it shouldn't

lespinoza212
New Member

Hello,

Recently we got Splunk upgraded to version 7.2.5.1 and one of my alerts have been triggering not following it's cron schedule expression. I wrote this cron expression for an alert which only supposed to run at 8am the first Monday of every month:

0 8 1-7 * 1

Just to break this down:

0: Minute
8: Hour
1 - 7: Day of the month
*: Month
1: Day of the week (Monday)

The alert was behaving as expected before the upgrade. It have triggered on Tuesday 04/02 at 8pm Est and on Thursday 04/04 at 8pm. What may be the issue? Any help is appreciated. Thanks for your time.

Luis Espinoza

0 Karma

oztraik9
Engager

Check you cron configuration on crontab.guru

https://crontab.guru/#0_8_1-7_*_1,Check your crontab logic on crontab.guru web page:

https://crontab.guru/#0_8_1-7_*_1

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@lespinoza212,

It does not seem to be a splunk alert issue but crontab works that way

Below is from crontab manual

Note: The day of a command's execution can be specified by two fields - day of month, and day of week. 
If both fields are restricted (ie, aren't *), the command will be run when either field matches the current time. 
For example,
"30 4 1,15 * 5" would cause a command to be run at 4:30 am on the 1st and 15th of each month, plus every Friday.

So in your case, it runs every month from 1-7 and also on every Monday

You might need to include the logic in your search

Happy Splunking!
0 Karma

lespinoza212
New Member

Hello @renjith.nair ,
Thanks for the quick response. I've read that part of the crontab manual, but if it is as it says, it would have triggered on Wednesday (04/03) as well, which it didn't. My alert triggers if my search string results count is equal to 0.

These logs are only expected on the first monday of every month.

I remembered that when I created the alert some months ago, I took as reference this post: https://answers.splunk.com/answers/495212/cron-expression-for-first-two-mondays-of-every-mon.html

Luis

0 Karma

oztraik9
Engager

Check your cron configuration on crontab.guru site:
https://crontab.guru/#0_8_1-7_*_1

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...