Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Alert With Cron Triggering when it shouldn't

lespinoza212
New Member
‎04-05-2019 06:50 AM

Hello,

Recently we got Splunk upgraded to version 7.2.5.1 and one of my alerts have been triggering not following it's cron schedule expression. I wrote this cron expression for an alert which only supposed to run at 8am the first Monday of every month:

0 8 1-7 * 1

Just to break this down:

0: Minute
8: Hour
1 - 7: Day of the month
*: Month
1: Day of the week (Monday)

The alert was behaving as expected before the upgrade. It have triggered on Tuesday 04/02 at 8pm Est and on Thursday 04/04 at 8pm. What may be the issue? Any help is appreciated. Thanks for your time.

Luis Espinoza

0 Karma
Reply

oztraik9
Engager
‎07-19-2019 03:10 PM

Check you cron configuration on crontab.guru

https://crontab.guru/#0_8_1-7_*_1,Check your crontab logic on crontab.guru web page:

https://crontab.guru/#0_8_1-7_*_1

0 Karma
Reply

renjith_nair
Legend
‎04-05-2019 07:39 AM

@lespinoza212,

It does not seem to be a splunk alert issue but crontab works that way

Below is from crontab manual 

Note: The day of a command's execution can be specified by two fields - day of month, and day of week. 
If both fields are restricted (ie, aren't *), the command will be run when either field matches the current time. 
For example,
"30 4 1,15 * 5" would cause a command to be run at 4:30 am on the 1st and 15th of each month, plus every Friday.

So in your case, it runs every month from 1-7 and also on every Monday

You might need to include the logic in your search

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

lespinoza212
New Member
‎04-05-2019 08:43 AM

Hello @renjith.nair ,
Thanks for the quick response. I've read that part of the crontab manual, but if it is as it says, it would have triggered on Wednesday (04/03) as well, which it didn't. My alert triggers if my search string results count is equal to 0.

These logs are only expected on the first monday of every month.

I remembered that when I created the alert some months ago, I took as reference this post: https://answers.splunk.com/answers/495212/cron-expression-for-first-two-mondays-of-every-mon.html

Luis

0 Karma
Reply

oztraik9
Engager
‎07-19-2019 03:11 PM

Check your cron configuration on crontab.guru site:
https://crontab.guru/#0_8_1-7_*_1

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...