Recently we got Splunk upgraded to version 184.108.40.206 and one of my alerts have been triggering not following it's cron schedule expression. I wrote this cron expression for an alert which only supposed to run at 8am the first Monday of every month:
0 8 1-7 * 1
Just to break this down:
1 - 7: Day of the month
1: Day of the week (Monday)
The alert was behaving as expected before the upgrade. It have triggered on Tuesday 04/02 at 8pm Est and on Thursday 04/04 at 8pm. What may be the issue? Any help is appreciated. Thanks for your time.
It does not seem to be a splunk alert issue but crontab works that way
Below is from crontab manual
Note: The day of a command's execution can be specified by two fields - day of month, and day of week. If both fields are restricted (ie, aren't *), the command will be run when either field matches the current time. For example, "30 4 1,15 * 5" would cause a command to be run at 4:30 am on the 1st and 15th of each month, plus every Friday.
So in your case, it runs every month from 1-7 and also on every Monday
You might need to include the logic in your search
Hello @renjith.nair ,
Thanks for the quick response. I've read that part of the crontab manual, but if it is as it says, it would have triggered on Wednesday (04/03) as well, which it didn't. My alert triggers if my search string results count is equal to 0.
These logs are only expected on the first monday of every month.
I remembered that when I created the alert some months ago, I took as reference this post: https://answers.splunk.com/answers/495212/cron-expression-for-first-two-mondays-of-every-mon.html