Splunk Search

cron in decimal

Path Finder

I use Splunk 5.0.1

I want a scheduled search to run by 2.5 hours. Does the search accept decimal values?

like from:

-2.5h@h to now

&

cron: 0 */2.5 * * *

Tags (3)

Super Champion

According to stackoverflow you cannot do it in a single statement. The recommendation is to use two statements:

0 */5 * * * 

and

30 2,7,12,17,22 * * *

See the post:

http://stackoverflow.com/questions/13226003/how-to-execute-a-cron-expression-for-every-2-5-hours

0 Karma

Super Champion

Well, I expected you would create two scheduled searches - one with one cron schedule, and one with the other. Splunk won't really care.

0 Karma

Path Finder

Hey luke, I do want to try your method but we are allowed just one statement in cron in splunk 😞

0 Karma

Motivator

Hello

I think you can use this schedule

150m

To run the query every 150 minutes

regards

0 Karma

Champion

No it doesn't take decimal value in cron schedule.

0 Karma

Path Finder

-150m may be good to search for records in last 2.5 hours but it does not satisfy cron criteria. I need the search to run every 2.5 hours and when i try this it throws an error.

Encountered the following error while trying to update: In handler 'savedsearch': Invalid cron_schedule="*/150 * * * *"

0 Karma