When I click on the link for https://crontab.guru/#00_12_1,2,3,4,5,6,7_*_0  the next run date is at 2022-10-23 12:00:00 which is not the first Sunday Nov 6th 2022.  

I did some digging and found if you use the following: 00 12 1-7 * */7 (https://crontab.guru/#00_12_1-7_*_*/7) in crontab it appears to be what you are looking for.  

However when I attempt to use that cron in a Splunk schedule it does not work.  It appears that Splunk is not like the every 7th day trick */7.  

Reviewing Splunk documentation: https://docs.splunk.com/Documentation/Splunk/latest/Alert/CronExpressions

It appears the only values that can be used are 0-6.  Not sure if at this time if there is a way to run on the first Sunday of the month with cron in Splunk. 

travis

So, if the values are 0-6 then Sunday is 0 instead of 7...  I will have to play with it some more myself.

Thanks!

David L. Crooks

I was thinking the same thing, but when I plugged in 0 instead of 7 Splunk gives me an error of invalid cron_schedule.  Now I did get 1 to work, but that was not helpful and seems the job will start on Nov 1st and then run everyday according to crontab.guru.  

travis

I think an issue is that the cron parser in Splunk is not the same as crontab.guru. I wish it was...

i am trying to schedule for this weekend and Splunk is not helping

Hi @dlcrooks,

I don't know why this happens, I should have your data to check, but anyway, as a workaround, you could put a filter in your main search to be sure that your alert is executed only the first Monday in a month, something like this:

<your_search> date_mday<7 date_wday=sunday

Ciao.

Giuseppe

No, I tried the suggestion and I do not want to filter my data as I need the search scheduled.

My data has nothing to do with the cron string not working in Splunk. That is a bug in Splunk.

I will try out your suggestion. 

Thanks!

David