I'm trying to stagger my scheduled searches in order to spread out resource utilization (20% of searches on the hour, 20% 1 minute after, 20% two minutes after etc.).
I should be able to use cron to accomplish this. There is even an existing Answer that addresses this:
However, I get an "Invalid cron" error when attempting to user the following notation:
*/5 * * * * 1-59/5 * * * * 2-59/5 * * * * 3-59/56 * * * * 4-59/5 * * * *
This should work as well, it is a valid expression, but I get the same Splunk error:
*/5 1/5 2/5 3/5 4/5
What should I do here?
My Splunk seems to accept
1-59/5 * * * *, says it's next scheduled at 51 past the hour.
6.2.0, obviously 🙂
The answers URL you posted pre-dates 6.1 though, so it should work on 6.1.3 as well.
Looks like there could be a bug:
a212830 gravatar imagea212830 · Jun 10 at 01:07 PM
Turned out to be a bug - you can enter the cron entry via searches-reports and it will work.
I'm finding this work-around works.
Well, the work-around looks like it's working, but the bug still exists, and it is inconvenient.
What view are you using exactly that throws up the error?
Alerts view does not work. Searches, reports, and alerts view does.
I see, sounds like the alerts view had a more stringent validation built-in. That seems to be fixed in 6.2.0 🙂