Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Scripted Input Cron Schedule not working correctly

aknsun
Path Finder
‎07-11-2019 08:59 PM

I have the following inputs.conf for a scripted input. However this is not working as per what I thought it would. The first 2 scripts don't execute and the 3rd one, though it's scheduled to run at 00:30, runs at 00:05 which is basically the time set for the 1st script. Not sure what's happening. Didn't find any errors in _interanal.

[script:///]
disabled = 0
index = someindex
interval = 5 0 * * *
sourcetype = somesourcetype

[script:///]
disabled = 0
index = someindex
interval = 15 0 * * *
sourcetype = somesourcetype

[script:///]
disabled = 0
index = someindex
interval = 30 0 * * *
sourcetype = somesourcetype

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

burwell
SplunkTrust
SplunkTrust
‎07-11-2019 10:49 PM

Hi.

It looks like interval should just be number of seconds. Looks like you were trying to use a cron syntax.

https://docs.splunk.com/Documentation/Splunk/7.3.0/AdvancedDev/ScriptSetup

For example from the docs

[script://$SPLUNK_HOME/etc/apps/<appName>/bin/starter_script.sh]
disabled = true # change to false to start the input, requires restart
host = # enter hostname here
index = main
interval = 30    #frequency to run the script, in seconds
source = my_db
sourcetype = my_db_data

View solution in original post

Reply
Solved! Jump to solution
Solution

burwell
SplunkTrust
SplunkTrust
‎07-11-2019 10:49 PM

Hi.

It looks like interval should just be number of seconds. Looks like you were trying to use a cron syntax.

https://docs.splunk.com/Documentation/Splunk/7.3.0/AdvancedDev/ScriptSetup

For example from the docs

[script://$SPLUNK_HOME/etc/apps/<appName>/bin/starter_script.sh]
disabled = true # change to false to start the input, requires restart
host = # enter hostname here
index = main
interval = 30    #frequency to run the script, in seconds
source = my_db
sourcetype = my_db_data
Reply
Solved! Jump to solution

aknsun
Path Finder
‎07-21-2019 11:58 PM

There is an option to use Cron. However, as I found out, it wasn't very reliable. Reverted back to using "interval = seconds "

0 Karma
Reply
Solved! Jump to solution

aknsun
Path Finder
‎07-11-2019 09:56 PM

Looks like it's removing the final 2 "*" in my interval setting.

And I'm using https://crontab.guru.

0 Karma
Reply
Solved! Jump to solution

natalienguyen
Explorer
‎07-11-2019 09:35 PM

Hi,

Are the times on the machine you're running the scripts set to the correct time?

0 Karma
Reply
Solved! Jump to solution

aknsun
Path Finder
‎07-11-2019 09:49 PM

Yes, it's set to the correct time.

0 Karma
Reply
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...