Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What cron expression is supported for the PowerShell Modular Input schedule

martinho
Explorer
‎10-26-2016 07:55 PM

When using Splunk Web to configure a new Powershell v3 Modular Input the hint for the Cron Schedule the hint text states A cron string specifying the schedule for execution: seconds minutes hours days-of-month month days-of-week years but this does not seem to be a valid Cron expression. What syntax is supported by Splunk for this feature. I am using Splunk 6.3.1.

I'm asking this question so I can document the answer that I have found for easy future reference.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martinho
Explorer
‎10-27-2016 03:19 PM

From trial and error, it seems that the cron expression supported here is the same as for scheduled alerts:
http://docs.splunk.com/Documentation/Splunk/latest/Alert/Definescheduledalerts#Schedule_the_alert

and that is the 5 field version corresponding to correspond to minute hour day-of-month month day-of-week. See the Wikipedia entry for Cron for details:
https://en.wikipedia.org/wiki/Cron#CRON_expression

I suspect the incorrect hint text comes from the fact that there is also a Splunk Add-on for Microsoft PowerShell (https://splunkbase.splunk.com/app/1477/) that was implemented using Quartz.net (http://www.quartz-scheduler.net/) which has a different cron expression syntax for cron triggers (http://www.quartz-scheduler.net/documentation/quartz-2.x/tutorial/crontriggers.html ).

It seems that the built-in PowerShell v3 Modular Input that comes with Splunk 6.3+ shares the same implementation as as other parts of the Splunk platform. The documentation for the PowerShell Modular Input: http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/MonitorWindowsdatawithPowerShellscripts uses the correct format for the examples although is still incorrectly includes a link to the Quartz.net implementation.

It makes sense that Splunk would not want you to be triggering these scripts with a more granular time scale than minutes so the lack of seconds support seems to fit.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martinho
Explorer
‎10-27-2016 03:19 PM

From trial and error, it seems that the cron expression supported here is the same as for scheduled alerts:
http://docs.splunk.com/Documentation/Splunk/latest/Alert/Definescheduledalerts#Schedule_the_alert

and that is the 5 field version corresponding to correspond to minute hour day-of-month month day-of-week. See the Wikipedia entry for Cron for details:
https://en.wikipedia.org/wiki/Cron#CRON_expression

I suspect the incorrect hint text comes from the fact that there is also a Splunk Add-on for Microsoft PowerShell (https://splunkbase.splunk.com/app/1477/) that was implemented using Quartz.net (http://www.quartz-scheduler.net/) which has a different cron expression syntax for cron triggers (http://www.quartz-scheduler.net/documentation/quartz-2.x/tutorial/crontriggers.html ).

It seems that the built-in PowerShell v3 Modular Input that comes with Splunk 6.3+ shares the same implementation as as other parts of the Splunk platform. The documentation for the PowerShell Modular Input: http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/MonitorWindowsdatawithPowerShellscripts uses the correct format for the examples although is still incorrectly includes a link to the Quartz.net implementation.

It makes sense that Splunk would not want you to be triggering these scripts with a more granular time scale than minutes so the lack of seconds support seems to fit.

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎10-27-2016 05:08 AM

Quartz Scheduler Format, not Unix Standard. The doc has examples.

http://www.quartz-scheduler.org/documentation/quartz-2.x/tutorials/crontrigger.html
http://docs.splunk.com/Documentation/AddOns/released/MSPowerShell/Configuration

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

What’s New in Splunk Enterprise 9.4: Tools for Digital ResilienceTune in to What’s New in Splunk Enterprise ...

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...