Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to write a cron schedule to run Splunk alerts biweekly on Mondays?

prakashbhanu407
New Member
‎10-11-2016 11:47 AM

I have a requirement to Trigger Splunk Alerts Bi-Weekly Mondays (Not 1st and 3rd OR 2nd and 4th weeks)
and if a month has 5 Mondays...it could be 1st, 3rd, and 5th Mondays.

I can't think of a cron expression to meet this requirement,

Thanks in advance.

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-01-2024 11:11 PM

Shouldn't it be something like this? (assuming you want to run it at midnight.)

0 0 * * Monday/2 run my alert

 

0 Karma
Reply

shalomsuresh
Explorer
‎10-02-2024 05:53 AM

This isn't valid.

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-02-2024 08:42 AM

If your system doesn't accept text DoW denotation such as Mon, Tue, you can use numeric.  In most systems, week starts from Sunday as 0.

0 0 * * 1/2 run my alert

Here is from man 5 crontab

Step values can be used in conjunction with ranges. Following a
range with ``/<number>'' specifies skips of the number's value
through the range. For example, ``0-23/2'' can be used in the hours
field to specify command execution every other hour (the alternative
in the V7 standard is ``0,2,4,6,8,10,12,14,16,18,20,22''). Steps
are also permitted after an asterisk, so if you want to say ``every
two hours'', just use ``*/2''.

(Of course, my manpage also states 

day of week 0-7 (0 or 7 is Sun, or use names)

 

0 Karma
Reply

shalomsuresh
Explorer
‎10-01-2024 10:44 AM

@prakashbhanu407 @woodcock 

This works too.. maybe you can use for the future requirement,

I had a similar requirement, and I solved it using a combination of a cron schedule and a condition in the search query. It's just two steps, first to setup a weekly schedule and then a condition to return result only once every two weeks.

  1. Set up weekly cron schedule. For example, to run at 6 p.m.  on every Sunday, use:
    0 18 * * 0

  2. Add the following condition to your search query, placing it where the query runs efficiently without affecting the final output:
    | eval biweekly_cycle_start=1726977600, biweekly=round(((relative_time(now(),"@d")-biweekly_cycle_start)/86400),0)%14 | where biweekly=0

In this example, I introduced a reference epoch time, biweekly_cycle_start, to calculate the two-week cycle. It represents the epoch time for two weeks before the alert schedule's starting date.

For instance, if your schedule begins on October 6, 2024, use the epoch time for the start of the day, September 22, 2024, which is 1726977600.

Each time the alert runs, the condition checks whether two weeks have passed since the last run. It returns results every two weeks and no results on the off week (seven days from the previous run).

Simply insert this condition where it will optimize the search performance, before the final transforming commands like stats, top, table, etc.

0 Karma
Reply

woodcock
Esteemed Legend
‎10-11-2016 04:41 PM

It is IMPOSSIBLE to have the search (not) run the way that you describe. However, what IS possible is to have it CRASH (and not complete) when it should not be running. Just set up the condition to trigger for Number of Results Greater Than 0 and schedule it to run every Monday ( * * * * 1 ). The only some Mondays part operates from INSIDE the search and will cause the search to CRASH (and therefore be IMPOSSIBLE to alert) during the blackout period. In this case, the logic to do that is this: figure out which Monday it is and then if that number is not 1, 3, or 5, set Bogus values for earliest and latest that will cause the search to crash. Otherwise, just copy the correct values from addinfo and pass them along as-is. This is your search:

Your Base Search Here

[| makeresults | addinfo
| eval date_mday=strftime(now(), "%d")
| eval date_wday_which = ceil(tonumber(strftime(now(), "%d"))/7)
| eval earliest=if(match(date_wday_which, "[135]"), info_min_time, "ThisSearchOnlyRunsOnOddWeeks")
| eval latest  =if(match(date_wday_which, "[135]"), info_max_time, "ItDeliberatelyCrashesOnEvenWeeks")
| fields earliest latest
| format "" "" "" "" "" ""
| fields search
| rex field=search mode=sed "s/\"//g"]

| The Rest Of Your Search Here

So in the good (1/3/5) case, it will look like this:

    Your Base Search Here earliest=1476225660 latest=1476229310 | The Rest Of Your Search Here

But in the bad (2/4) case, it will come out like this:

    Your Base Search Here earliest=ThisSearchOnlyRunsOnOddWeeks latest=ItDeliberatelyCrashesOnEvenWeeks | The Rest Of Your Search Here
0 Karma
Reply

prakashbhanu407
New Member
‎10-13-2016 12:28 PM

Sorry for any confusion but My requirement is to Run the alert on Alternate Mondays irrespective of the month
so if we setup the Alert to run for the first time on 1st week then it has to run on all Odd weeks
if it starts on 2nd week , it has to run on all even weeks.

Is there a function to get the Count of the week in an year ?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...