Alerting

Splunk Alert with UTC Cron expression

SaintNick
Explorer

Our Splunk runs in local time, and Splunk Alerts with a Cron schedule and a cron expression such as "00 4,8,12,18 * * *" will run four times a day at the given LOCAL times. How can I tell it to run at UTC times?

Labels (2)
0 Karma
1 Solution

SaintNick
Explorer

Thanks @inventsekar, I don't have or want access to the Splunk system or user files. I only have access through the Web UI.

The Splunk documentation at https://docs.splunk.com/Documentation/Splunk/9.2.0/Alert/CronExpressions actually states:

You can customize alert scheduling using a time range and cron expression. The Splunk cron analyzer defaults to the timezone where the search head is configured. This can be verified or changed by going to Settings > Searches, reports, and alerts > Scheduled time.

But then nowhere below do they explain how to change the timezone for the cron schedule. And when I go to my alert and choose "Advanced Edit", I get a huge page with ~450 fields but nowhere the time zone. There is the field cron_schedule (and next_scheduled_time) but again, no way to change the time zone for the schedule.

So I conclude, it's simply not possible.

View solution in original post

0 Karma

SaintNick
Explorer

Call out to any Splunk engineer or moderator to answer this simple question!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SaintNick ,

Splunk uses the timezone of the operative system, but in the interface displays data considering the user timezone, but anyway cron remains the one of the OS.

The only way is consider this in the cron definition, I don't know a method to apply timezones to the cron.

Ciao.

Giuseppe

SaintNick
Explorer

Thanks Guiseppe, that's exactly what I want to know, how to tell the cron to run in UTC times.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SaintNick ,

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

inventsekar
SplunkTrust
SplunkTrust

Hi @SaintNick ...the stackexchange gave this one:

https://unix.stackexchange.com/questions/710815/how-do-i-make-cron-use-utc

if u r using windows or if the above idea didnt work, if u r looking for a simple short-cut, simply convert the time to UTC time manually and update the cron accordingly. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

SaintNick
Explorer

Thanks @inventsekar, I don't have or want access to the Splunk system or user files. I only have access through the Web UI.

The Splunk documentation at https://docs.splunk.com/Documentation/Splunk/9.2.0/Alert/CronExpressions actually states:

You can customize alert scheduling using a time range and cron expression. The Splunk cron analyzer defaults to the timezone where the search head is configured. This can be verified or changed by going to Settings > Searches, reports, and alerts > Scheduled time.

But then nowhere below do they explain how to change the timezone for the cron schedule. And when I go to my alert and choose "Advanced Edit", I get a huge page with ~450 fields but nowhere the time zone. There is the field cron_schedule (and next_scheduled_time) but again, no way to change the time zone for the schedule.

So I conclude, it's simply not possible.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...