Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Cron Issue: How to send a report on specific day?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'd like a report to be sent every first Tuesday of the month at 11:00 pm. Thinking logically, I should use this cron: 0 23 1-7 * 2. But for some reason, I receive the report every day during the first week of the month.
Do you have an idea what am I doing wrong?
Thanks for the help.
Alex.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Cron schedule is inclusive, so 1-7 will result in alerts being sent every day for that first week. You can review sample crontab schedules at crontab.guru
What I believe would work is using an Alert with a conditional trigger, then adding some logic to your search based on the current date/time of the results so that Splunk only meets the condition for sending an alert during the time window you want to trigger.
For this example the search you're trying to send would include some kind of aggregate count, using "{base search} | eval count by myfield"
Create a new saved search and set the cron schedule to run every tuesday:
0 23 * * 2
... set the search alert condition to "if custom condition is met" and add the criteria
search count > 0
Then the following at the end of the saved search:
| eval da_wday=strftime(now(),"%w"), da_mday=strftime(now(),"%d")
| eval count=case(da_mday<=7 AND da_wday==2,count,1==1,0)
| fields - da_*
These additional search commands will zero out the "count" field unless the current day/time is in the first week (da_mday<=7) and the weekday is Tuesday (da_wday==2). The search will run every Tuesday thanks to the Cron schedule in the saved search, but your custom alert condition will drop those since the alert condition isn't being met.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Cron schedule is inclusive, so 1-7 will result in alerts being sent every day for that first week. You can review sample crontab schedules at crontab.guru
What I believe would work is using an Alert with a conditional trigger, then adding some logic to your search based on the current date/time of the results so that Splunk only meets the condition for sending an alert during the time window you want to trigger.
For this example the search you're trying to send would include some kind of aggregate count, using "{base search} | eval count by myfield"
Create a new saved search and set the cron schedule to run every tuesday:
0 23 * * 2
... set the search alert condition to "if custom condition is met" and add the criteria
search count > 0
Then the following at the end of the saved search:
| eval da_wday=strftime(now(),"%w"), da_mday=strftime(now(),"%d")
| eval count=case(da_mday<=7 AND da_wday==2,count,1==1,0)
| fields - da_*
These additional search commands will zero out the "count" field unless the current day/time is in the first week (da_mday<=7) and the weekday is Tuesday (da_wday==2). The search will run every Tuesday thanks to the Cron schedule in the saved search, but your custom alert condition will drop those since the alert condition isn't being met.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @wenthold ,
The solution is a bit more complicated that I thought 🙂 But it works perfectly fine.
Thanks for the help!
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...
Accelerating Observability as Code with the Splunk AI Assistant
