Re: Cron schedule in Splunk Cloud to run every sec...

nabeel652 · ‎10-28-2024

Hello Splunkers

I have a requirement to run an alert on second Tuesday of each month at 5:30am. I came up with

30 05 8-14 * 2

However, Splunk tends to run it every Tuesday regardless of the date being between 8th to 14th.

Is this a shortcoming in Splunk or I'm doing something wrong?

gcusello · ‎10-29-2024

Hi @nabeel652 ,

if the alert must run only one the second Tuesday of the month, you could use your cron and add a condition in the alert, that the day of mont must be between 8 and 15:

<your_search> (date_mday>7 date_mday<16)
| ...

Ciao.

Giuseppe

nabeel652 · ‎10-29-2024

Thanks for the reply. Sorry that's not what I want to achieve. My search spans over last 30 days - This will only make it look for the timespan > 7 and < 14 days.

I want Splunk to run this search on the given Cron schedule not to change the search time span.

gcusello · ‎10-30-2024

Hi @nabeel652 ,

for my knowledge, you can schedule a search using cron on Tuesday, but not on the second Tuesday.

To do this, the only way is adding a contrain to the search.

Ciao.

Giuseppe

nabeel652 · ‎10-30-2024

Thank you. That's what I thought too. However,

30 05 8-14 * 2

is a valid cron and Splunk should consider fixing this

Cron schedule in Splunk Cloud to run every second Tuesday of the month

alert action

alert condition

cron

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?