Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cron schedule for saved search on last day of month

leeraym
Path Finder
‎06-03-2010 09:15 PM

Is it possible to schedule a saved search to run on the last day of the month? In UNIX, you can accomplish this by doing something like:

59 23 * * * [[ $(date +'%d') -eq $(cal | awk '!/^$/{ print $NF }' | tail -1) ]] && job.sh

I don't think I can do this in the Splunk interface though. I noticed under Basic scheduling, there's an option to run every "week (every Saturday at midnight)". It would be great to have another option to run every "month (last day of month at midnight)". Feature request?

Tags (2)
Reply

Lowell
Super Champion
‎06-04-2010 08:31 PM

I highly doubt that such syntax is supported here; or even across various UNIX cron implementations; I could be wrong.

Have you considered simply run the report on the first day of every month and running your search for the range of the previous month?

cron_schedule = 5 1 1 * *
dispatch.earliest_time = -1mon@mon
dispatch.latest_time = @mon

This example would run on the first of every month at 1:05 AM and searches over the last full month. Would this work for what you are trying to do?

Doc references:

Reply

mrzmsmglsnk
Explorer
‎03-06-2013 06:26 AM

Thnx from me 2!

0 Karma
Reply

leeraym
Path Finder
‎06-09-2010 03:40 AM

Thanks! That should work nicely.

0 Karma
Reply

leeraym
Path Finder
‎06-04-2010 01:14 PM

I guess there is a not-so-elegant solution to this. Create 3 of the same saved searches and schedule them like this: cron1 at "59 23 31 1,3,5,7,8,10,12 *" to handle the months with 31 days; cron2 at "59 23 30 4,6,9,11 *" to handle the months with 30 days ; cron3 at "59 23 28,29 2 *" to handle February. But a more elegant, single savedsearch solution would be appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...