Hello,
Recently we got Splunk upgraded to version 7.2.5.1 and one of my alerts have been triggering not following it's cron schedule expression. I wrote this cron expression for an alert which only supposed to run at 8am the first Monday of every month:
0 8 1-7 * 1
Just to break this down:
0: Minute
8: Hour
1 - 7: Day of the month
*: Month
1: Day of the week (Monday)
The alert was behaving as expected before the upgrade. It have triggered on Tuesday 04/02 at 8pm Est and on Thursday 04/04 at 8pm. What may be the issue? Any help is appreciated. Thanks for your time.
Luis Espinoza
Check you cron configuration on crontab.guru
https://crontab.guru/#0_8_1-7_*_1,Check your crontab logic on crontab.guru web page:
@lespinoza212,
It does not seem to be a splunk alert issue but crontab works that way
Below is from crontab manual
Note: The day of a command's execution can be specified by two fields - day of month, and day of week.
If both fields are restricted (ie, aren't *), the command will be run when either field matches the current time.
For example,
"30 4 1,15 * 5" would cause a command to be run at 4:30 am on the 1st and 15th of each month, plus every Friday.
So in your case, it runs every month from 1-7 and also on every Monday
You might need to include the logic in your search
Hello @renjith.nair ,
Thanks for the quick response. I've read that part of the crontab manual, but if it is as it says, it would have triggered on Wednesday (04/03) as well, which it didn't. My alert triggers if my search string results count is equal to 0.
These logs are only expected on the first monday of every month.
I remembered that when I created the alert some months ago, I took as reference this post: https://answers.splunk.com/answers/495212/cron-expression-for-first-two-mondays-of-every-mon.html
Luis
Check your cron configuration on crontab.guru site:
https://crontab.guru/#0_8_1-7_*_1