Is it possible to schedule a saved search to run on the last day of the month? In UNIX, you can accomplish this by doing something like:
59 23 * * * [[ $(date +'%d') -eq $(cal | awk '!/^$/{ print $NF }' | tail -1) ]] && job.sh
I don't think I can do this in the Splunk interface though. I noticed under Basic scheduling, there's an option to run every "week (every Saturday at midnight)". It would be great to have another option to run every "month (last day of month at midnight)". Feature request?
I highly doubt that such syntax is supported here; or even across various UNIX cron implementations; I could be wrong.
Have you considered simply run the report on the first day of every month and running your search for the range of the previous month?
cron_schedule = 5 1 1 * *
dispatch.earliest_time = -1mon@mon
dispatch.latest_time = @mon
This example would run on the first of every month at 1:05 AM and searches over the last full month. Would this work for what you are trying to do?
Doc references:
Thnx from me 2!
Thanks! That should work nicely.
I guess there is a not-so-elegant solution to this. Create 3 of the same saved searches and schedule them like this: cron1 at "59 23 31 1,3,5,7,8,10,12 *" to handle the months with 31 days; cron2 at "59 23 30 4,6,9,11 *" to handle the months with 30 days ; cron3 at "59 23 28,29 2 *" to handle February. But a more elegant, single savedsearch solution would be appreciated.