Alerting

Can you help me with the cron scheduling of my alert?

Contributor

Hello,

I need help with the cron scheduling of my alert. It is:

0,30 * * * *

From which I would expect my alert to be triggered always at 0 and 30-th min of an hour.

Below are my triggering times (I test it the way that there is always a result returned, so the alert should always be triggered):

6:40
7:15
7:39
8:19
8:39
9:19
9:39
10:19
11:20
11:40

Any hint why this is and how would I reach my goal?

The alert search itself takes only couple of second and does not justify this kind of delays.

Kind regards,
Kamil

0 Karma
1 Solution

Influencer

There shouldn´t be a

,

in your chron

To test chron this site is good : https://crontab.guru/#0_12_*_*_5

View solution in original post

0 Karma

Influencer

There shouldn´t be a

,

in your chron

To test chron this site is good : https://crontab.guru/#0_12_*_*_5

View solution in original post

0 Karma

Contributor

Hello dkeck,

Could you please paste the cron notation in that case?
The following combination:

0 30 * * * *

Is not accepted by Splunk. Only the:

030 * * * *

But I guess it does not do what I want.

Kind Regards,
Kamil

0 Karma

Influencer

This is for every 30 min

*/30 * * * *
0 Karma

Contributor

Hello,

Yes, but I would like precisely at the minute 0 and 30.
How would it be then?

Kind Regards,
Kamil

0 Karma

Influencer

Ah ok so I mixed that up, your initial thought was correct than 0,30 * * * *

0 Karma

Contributor

Yes, so if my initial thought was correct, the question would be why do I get the triggering times as I get:

 6:40
 7:15
 7:39
 8:19
 8:39
 9:19
 9:39
 10:19
 11:20
 11:40
0 Karma

Influencer

hm, I tested it its working.

How do you set up the alert?

0 Karma

Contributor

"Run on Schedule" --> "Cron expression" --> 0,30 * * * *

Each time I scan the time range of 7 days in the past with my search just to find something and trigger the alert. But as mentioned, the search itself is quite fast and should not lead to this kind of delays.

0 Karma

Influencer

please check the sheduler log. There should be logs stating when the search run and how long it took, maybe its taking to long. index=internal sourcetype=scheduler savedsearchname=

Contributor

Thank you.
I used the following search:

index=_internal sourcetype=scheduler savedsearch_name=BWP* savedsearch_name="BWP Parameter Changes" | convert ctime(scheduled_time) as SCHEDULE | convert ctime(dispatch_time) as DISPATCH | table _time SCHEDULE DISPATCH run_time

and there is a significant delay / difference between scheduledtime and dispatchtime. So i guess the scheduling works fine, but there is some issue with dispatching. What would be the common reasons

for that? Resource exhaustion?
I scheduled it now a bit different:
17,47 * * * *
to see if I get better results, assuming that many other searches get kicked off on the 0 and 30-th minute of an hour.

Influencer

Could be that more than this search is scheduled for this time, since many users/apps schedule their search around this time.

Nice that we got to the botton of this 🙂

Please accept the answer 🙂

0 Karma