Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Ignores my cron and sets his own daily

darismendy
Explorer
‎01-21-2020 11:56 AM

Hello

I am having an issue when scheduling some reports which i set cron as : 0 6 3 * * which is “At 06:00 on day-of-month 3." but when i see the next schedule it shows as daily at 06:00, for example it shows that is scheduled for tomorrow 22/01/2020 at 06:00

0 Karma
Reply

pgoyal_splunk
Splunk Employee
Splunk Employee
‎01-30-2020 09:05 PM

Add a scheduled task
The layout for a cron entry is made up of six components: minute, hour, day of month, month of year, day of week, and the command to be executed.

m h dom mon dow command

* * * * * command to execute

┬ ┬ ┬ ┬ ┬

│ │ │ │ │

│ │ │ │ │

│ │ │ │ └───── day of week (0 - 7) (0 to 6 are Sunday to Saturday, or use names; 7 is Sunday, the same as 0)

│ │ │ └────────── month (1 - 12)

│ │ └─────────────── day of month (1 - 31)

│ └──────────────────── hour (0 - 23)

└───────────────────────── min (0 - 59)

Example expressions
Here are some example cron expressions.

*/5 * * * * Every 5 minutes.
*/30 * * * * Every 30 minutes.
0 */12 * * * Every 12 hours, on the hour.
*/20 * * * 1-5 Every 20 minutes, Monday through Friday.
0 9 1-7 * * The first 7 days of every month at 9 AM.

https://docs.splunk.com/Documentation/Splunk/8.0.1/Alert/CronExpressions

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎01-30-2020 01:20 PM

Hi. What version of Splunk are you running?

I can't find anything in the release notes about your issue but I see someone else had a similar problem with Splunk 7.2.x

https://answers.splunk.com/answers/737480/did-the-cron-scheduler-change-between-versions.html

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-21-2020 12:13 PM

Is 0 6 3 the entire cron string? If so, it's incomplete and probably is why Splunk is not running the report at the right time. Try 0 6 3 * *.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

darismendy
Explorer
‎01-23-2020 11:11 AM

is complete as you wrote it, but i meant to write 0 6 3 * *

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-24-2020 04:35 AM

0 6 3 is not a valid cron string. It must have 5 arguments, not just 3.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

darismendy
Explorer
‎01-30-2020 09:23 AM

i wrote 5 by real, it was just a mistake in the question, it is 0 6 3 * *

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...