Did the cron scheduler change between versions?

jeffbat · ‎04-02-2019

We just recently upgraded from Splunk 6.6.3 to 7.2.4.1 and noticed a change to one of our alerts based on its cron schedule.

The cron schedule for the alert is set to this:

3 21 1-7,15-24 * 0

Before the upgrade, this was working to send out the alert the 1st and 3rd Sundays of the month.

After the upgrade, this is now sending out on the Sunday AND every day between the 1st-7th and we figure will also send every day from the 15th-24th.

Did the cron scheduler get changed in the version upgrade?

Also, where can I find what cron version Splunk is utilizing?

For now we change changed the cron schedule to send out on the 1st and 15th, so it will only send twice a month but would like it to just be every other Sunday.

Thanks.

the0duke0 · ‎05-06-2019

We just upgraded from 7.1.x to 7.2.5.1 and we have noticed a similar behavior. Previously 20 15 1-7 * 3 would fire the first Wednesday of the month at 15:20. It is now firing every Wednesday AND the first seven days of the month at 1520. I don't see any release notes with 7.2 about cron changes, but it seems there was some change.

teunlaan · ‎05-06-2019

They fixed some cron issues in v 7.2.3. So it could be your cron's a now behaving in an other way then before

Blockquote 2018-12-21 SPL-164242, SPL-164210 A search scheduled to run monthly or weekly may run daily. "Next Scheduled Time" is incorrect due to cron parsing issue

But it looks like they didn't fix it, or broke something else
Did you file a Bug?

tom_frotscher · ‎05-06-2019

Just as a quick tip, the website crontab guru is very useful to create and manage cron schedules.
For your example: https://crontab.guru/#3_21_1-7,15-24_*_0

Did the cron scheduler change between versions?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?