Cron schedule in Splunk Cloud to run every second ...

nabeel652 · ‎10-28-2024

Hello Splunkers

I have a requirement to run an alert on second Tuesday of each month at 5:30am. I came up with

30 05 8-14 * 2

However, Splunk tends to run it every Tuesday regardless of the date being between 8th to 14th.

Is this a shortcoming in Splunk or I'm doing something wrong?

gcusello · ‎10-29-2024

Hi @nabeel652 ,

if the alert must run only one the second Tuesday of the month, you could use your cron and add a condition in the alert, that the day of mont must be between 8 and 15:

<your_search> (date_mday>7 date_mday<16)
| ...

Ciao.

Giuseppe

nabeel652 · ‎10-29-2024

Thanks for the reply. Sorry that's not what I want to achieve. My search spans over last 30 days - This will only make it look for the timespan > 7 and < 14 days.

I want Splunk to run this search on the given Cron schedule not to change the search time span.

gcusello · ‎10-30-2024

Hi @nabeel652 ,

for my knowledge, you can schedule a search using cron on Tuesday, but not on the second Tuesday.

To do this, the only way is adding a contrain to the search.

Ciao.

Giuseppe

nabeel652 · ‎10-30-2024

Thank you. That's what I thought too. However,

30 05 8-14 * 2

is a valid cron and Splunk should consider fixing this

Cron schedule in Splunk Cloud to run every second Tuesday of the month

alert action

alert condition

cron

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?