Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I getting "invalid cron" errors using a cron schedule to stagger scheduled searches in Splunk 6.1.3?

danielrusso1
Path Finder
‎10-29-2014 01:37 PM

I'm trying to stagger my scheduled searches in order to spread out resource utilization (20% of searches on the hour, 20% 1 minute after, 20% two minutes after etc.).

I should be able to use cron to accomplish this. There is even an existing Answer that addresses this:

http://answers.splunk.com/answers/118757/scheduling-alerts-via-cron.html

However, I get an "Invalid cron" error when attempting to user the following notation:

*/5 * * * *
1-59/5 * * * *
2-59/5 * * * *
3-59/56 * * * *
4-59/5 * * * *

This should work as well, it is a valid expression, but I get the same Splunk error:

*/5
1/5
2/5
3/5
4/5

What should I do here?

Reply
1 Solution
Solved! Jump to solution
Solution

danielrusso1
Path Finder
‎10-29-2014 02:08 PM

obviously 🙂

Looks like there could be a bug:

http://answers.splunk.com/answers/139412/scheduling-report-error.html

a212830 gravatar imagea212830 · Jun 10 at 01:07 PM
Turned out to be a bug - you can enter the cron entry via searches-reports and it will work.

I'm finding this work-around works.

View solution in original post

Reply
Solved! Jump to solution
Solution

danielrusso1
Path Finder
‎10-29-2014 02:08 PM

obviously 🙂

Looks like there could be a bug:

http://answers.splunk.com/answers/139412/scheduling-report-error.html

a212830 gravatar imagea212830 · Jun 10 at 01:07 PM
Turned out to be a bug - you can enter the cron entry via searches-reports and it will work.

I'm finding this work-around works.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-30-2014 06:09 AM

What view are you using exactly that throws up the error?

0 Karma
Reply
Solved! Jump to solution

danielrusso1
Path Finder
‎10-31-2014 10:11 AM

Alerts view does not work. Searches, reports, and alerts view does.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-31-2014 10:16 AM

I see, sounds like the alerts view had a more stringent validation built-in. That seems to be fixed in 6.2.0 🙂

0 Karma
Reply
Solved! Jump to solution

danielrusso1
Path Finder
‎10-31-2014 11:47 AM

hoping to move to the cloud shortly, that should do it!

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-29-2014 02:40 PM

Great... does that solve this?

0 Karma
Reply
Solved! Jump to solution

danielrusso1
Path Finder
‎10-30-2014 06:06 AM

Well, the work-around looks like it's working, but the bug still exists, and it is inconvenient.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-29-2014 01:49 PM

My Splunk seems to accept 1-59/5 * * * *, says it's next scheduled at 51 past the hour.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-29-2014 02:00 PM

6.2.0, obviously 🙂

The answers URL you posted pre-dates 6.1 though, so it should work on 6.1.3 as well.

0 Karma
Reply
Solved! Jump to solution

danielrusso1
Path Finder
‎10-29-2014 01:55 PM

What version are you on? I am on 6.1.3

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...