Alerting

Cron Expression: Run every 5 minutes at 3pm every day

demkic
Explorer

Hi, I am struggling to create a cron expression to run my alert every 5 minutes at 3pm every day.

I found the following expression online: 0 0/5 15 * * ? However, Splunk is not accepting this as a valid Cron.
Also, could you please explain the reasoning behind the correct answer? I often struggle with cron expressions ..

Thank you so much.

0 Karma
1 Solution

jcaceres
Explorer

I think you want */5, not 0/5

The example below runs every 5 minutes, every day for 1 hour starting at 3PM
*/5 15 * * *

So the alert would run at:
15:00
15:05
15:10
...etc.

If you want your alert to only run for an hour, 15-16 for example, then it would be:
*/5 15-16 * * *
and would run at:
15:00
15:05
15:10
...etc.

and the last run would be at:
15:55

View solution in original post

0 Karma

mayurr98
Super Champion

As per your question Run every 5 minutes at 3 pm every day which means it will start at 3 pm and the next day till 3pm..so it is same as running for every 5 minutes every day it does not make any sense. Either your question should be run every day at 3 pm every 5 minutes for a period of an hour or so..or run every 5 minutes every day 0/5 15 * * * does not make any sense to me. as this will run the report at 3 pm, give you a result and stop. In other words, it will run only once.

So if you want your report to run every 5 minutes at 3 pm for entire day till midnight then your cron expression should be

*/5 15-23 * * *

I hope you understand what I am trying to say.

0 Karma

horsefez
SplunkTrust
SplunkTrust

Hi demkic,

take this cron range.

0/5 15 * * *

so the first 0 means it will start at a full hour... this could also be a *, but we won't get into it.
the /5 says it will run every 5 minutes
the 15 stands to run at 3pm on a 24 hour clock
the * means it will run every day
the * means it will run every month
the *means it will run every day of the week

0 Karma

jcaceres
Explorer

I think you want */5, not 0/5

The example below runs every 5 minutes, every day for 1 hour starting at 3PM
*/5 15 * * *

So the alert would run at:
15:00
15:05
15:10
...etc.

If you want your alert to only run for an hour, 15-16 for example, then it would be:
*/5 15-16 * * *
and would run at:
15:00
15:05
15:10
...etc.

and the last run would be at:
15:55

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...