@kzkk  You would have found an alternate way but this maybe useful in the future,

I had a similar requirement, and I solved it using a combination of a cron schedule and a condition in the search query. It's just two steps, first to setup a weekly schedule and then a condition to return result only once every two weeks.

1. Set up weekly cron schedule. For example, to run at 6 p.m.  on every Sunday, use:
   0 18 * * 0

2. Add the following condition to your search query, placing it where the query runs efficiently without affecting the final output:
   | eval biweekly_cycle_start=1726977600, biweekly=round(((relative_time(now(),"@d")-biweekly_cycle_start)/86400),0)%14 | where biweekly=0

In this example, I introduced a reference epoch time, biweekly_cycle_start, to calculate the two-week cycle. It represents the epoch time for two weeks before the alert schedule's starting date.

For instance, if your schedule begins on October 6, 2024, use the epoch time for the start of the day, September 22, 2024, which is 1726977600.

Each time the alert runs, the condition checks whether two weeks have passed since the last run. It returns results every two weeks and no results on the off week (seven days from the previous run).

Simply insert this condition where it will optimize the search performance, before the final transforming commands like stats, top, table, etc.

The answer is "no" and "no". You can't do that with simple cron schedules.

What is not explained in splunk docs but how your typical cron schedule works is that if you specify day of the month as well as day of the week, the task is launched when any of those conditions are met. So your task would be launched at 14th and 28th of the month as well as on every friday.

There is no way to say "biweekly" or "end of the month". Cron is a simple tool after all 😉