Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Ignores my cron and sets his own daily

darismendy
Explorer
‎01-21-2020 11:56 AM

Hello

I am having an issue when scheduling some reports which i set cron as : 0 6 3 * * which is “At 06:00 on day-of-month 3." but when i see the next schedule it shows as daily at 06:00, for example it shows that is scheduled for tomorrow 22/01/2020 at 06:00

0 Karma
Reply

pgoyal_splunk
Splunk Employee
Splunk Employee
‎01-30-2020 09:05 PM

Add a scheduled task
The layout for a cron entry is made up of six components: minute, hour, day of month, month of year, day of week, and the command to be executed.

m h dom mon dow command

* * * * * command to execute

┬ ┬ ┬ ┬ ┬

│ │ │ │ │

│ │ │ │ │

│ │ │ │ └───── day of week (0 - 7) (0 to 6 are Sunday to Saturday, or use names; 7 is Sunday, the same as 0)

│ │ │ └────────── month (1 - 12)

│ │ └─────────────── day of month (1 - 31)

│ └──────────────────── hour (0 - 23)

└───────────────────────── min (0 - 59)

Example expressions
Here are some example cron expressions.

*/5 * * * * Every 5 minutes.
*/30 * * * * Every 30 minutes.
0 */12 * * * Every 12 hours, on the hour.
*/20 * * * 1-5 Every 20 minutes, Monday through Friday.
0 9 1-7 * * The first 7 days of every month at 9 AM.

https://docs.splunk.com/Documentation/Splunk/8.0.1/Alert/CronExpressions

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎01-30-2020 01:20 PM

Hi. What version of Splunk are you running?

I can't find anything in the release notes about your issue but I see someone else had a similar problem with Splunk 7.2.x

https://answers.splunk.com/answers/737480/did-the-cron-scheduler-change-between-versions.html

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-21-2020 12:13 PM

Is 0 6 3 the entire cron string? If so, it's incomplete and probably is why Splunk is not running the report at the right time. Try 0 6 3 * *.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

darismendy
Explorer
‎01-23-2020 11:11 AM

is complete as you wrote it, but i meant to write 0 6 3 * *

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-24-2020 04:35 AM

0 6 3 is not a valid cron string. It must have 5 arguments, not just 3.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

darismendy
Explorer
‎01-30-2020 09:23 AM

i wrote 5 by real, it was just a mistake in the question, it is 0 6 3 * *

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...