Splunk Alert With Cron Triggering when it shouldn't

New Member


Recently we got Splunk upgraded to version and one of my alerts have been triggering not following it's cron schedule expression. I wrote this cron expression for an alert which only supposed to run at 8am the first Monday of every month:

0 8 1-7 * 1

Just to break this down:

0: Minute
8: Hour
1 - 7: Day of the month
*: Month
1: Day of the week (Monday)

The alert was behaving as expected before the upgrade. It have triggered on Tuesday 04/02 at 8pm Est and on Thursday 04/04 at 8pm. What may be the issue? Any help is appreciated. Thanks for your time.

Luis Espinoza

0 Karma


Check you cron configuration on*_1,Check your crontab logic on web page:*_1

0 Karma



It does not seem to be a splunk alert issue but crontab works that way

Below is from crontab manual

Note: The day of a command's execution can be specified by two fields - day of month, and day of week. 
If both fields are restricted (ie, aren't *), the command will be run when either field matches the current time. 
For example,
"30 4 1,15 * 5" would cause a command to be run at 4:30 am on the 1st and 15th of each month, plus every Friday.

So in your case, it runs every month from 1-7 and also on every Monday

You might need to include the logic in your search

0 Karma

New Member

Hello @renjith.nair ,
Thanks for the quick response. I've read that part of the crontab manual, but if it is as it says, it would have triggered on Wednesday (04/03) as well, which it didn't. My alert triggers if my search string results count is equal to 0.

These logs are only expected on the first monday of every month.

I remembered that when I created the alert some months ago, I took as reference this post:


0 Karma


Check your cron configuration on site:*_1

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!