Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Ignores my cron and sets his own daily

darismendy
Explorer
‎01-21-2020 11:56 AM

Hello

I am having an issue when scheduling some reports which i set cron as : 0 6 3 * * which is “At 06:00 on day-of-month 3." but when i see the next schedule it shows as daily at 06:00, for example it shows that is scheduled for tomorrow 22/01/2020 at 06:00

0 Karma
Reply

pgoyal_splunk
Splunk Employee
Splunk Employee
‎01-30-2020 09:05 PM

Add a scheduled task
The layout for a cron entry is made up of six components: minute, hour, day of month, month of year, day of week, and the command to be executed.

m h dom mon dow command

* * * * * command to execute

┬ ┬ ┬ ┬ ┬

│ │ │ │ │

│ │ │ │ │

│ │ │ │ └───── day of week (0 - 7) (0 to 6 are Sunday to Saturday, or use names; 7 is Sunday, the same as 0)

│ │ │ └────────── month (1 - 12)

│ │ └─────────────── day of month (1 - 31)

│ └──────────────────── hour (0 - 23)

└───────────────────────── min (0 - 59)

Example expressions
Here are some example cron expressions.

*/5 * * * * Every 5 minutes.
*/30 * * * * Every 30 minutes.
0 */12 * * * Every 12 hours, on the hour.
*/20 * * * 1-5 Every 20 minutes, Monday through Friday.
0 9 1-7 * * The first 7 days of every month at 9 AM.

https://docs.splunk.com/Documentation/Splunk/8.0.1/Alert/CronExpressions

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎01-30-2020 01:20 PM

Hi. What version of Splunk are you running?

I can't find anything in the release notes about your issue but I see someone else had a similar problem with Splunk 7.2.x

https://answers.splunk.com/answers/737480/did-the-cron-scheduler-change-between-versions.html

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-21-2020 12:13 PM

Is 0 6 3 the entire cron string? If so, it's incomplete and probably is why Splunk is not running the report at the right time. Try 0 6 3 * *.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

darismendy
Explorer
‎01-23-2020 11:11 AM

is complete as you wrote it, but i meant to write 0 6 3 * *

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-24-2020 04:35 AM

0 6 3 is not a valid cron string. It must have 5 arguments, not just 3.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

darismendy
Explorer
‎01-30-2020 09:23 AM

i wrote 5 by real, it was just a mistake in the question, it is 0 6 3 * *

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...