Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk CRON Implementation incorrect in SEARCH-ALERTS

SplunkShawnCt
Explorer
‎03-16-2015 09:49 AM

Searches, reports, and alerts allows me to enter a CRON schedule with Dual ranges. For instance in the hour field if I do not want to run at 3:00 AM I can use this schedule to run every 15 minutes.

*/15 0-2,4-23 * * *

This is allowed under standard CRON. If instead of editing the CRON schedule in Searches, reports, and alerts I instead try to edit it the REPORTS or ALERTS section of the Splunk App I get an Invalid CRON error. I would attach a picture but it says I need more points.

Tags (2)
0 Karma
Reply

frobinson_splun
Splunk Employee
Splunk Employee
‎04-29-2015 10:17 AM

Hi @SplunkShawnCt,
I've reported this issue as a bug and asked our search and reporting UI folks to investigate. It seems there is a validation issue in the UI, according to one of our cron expression engineers. Thanks for bringing it to our attention! I'll report back with any other updates.
best,
frobinson

0 Karma
Reply

frobinson_splun
Splunk Employee
Splunk Employee
‎04-29-2015 11:37 AM

I've asked our engineering team and it is a known bug with 6.1.2. It has been fixed as of 6.1.3. @SplunkShawnCt, if you can upgrade to 6.1.3 or beyond you should be good to go. Let me know if you have further questions on this issue.

Thanks!
frobinson

0 Karma
Reply

frobinson_splun
Splunk Employee
Splunk Employee
‎04-28-2015 04:57 PM

Hi @SplunkShawnCt,
I am a tech writer here at Splunk and I've been troubleshooting what sounds like a similar issue with a different app. I'll check with our engineering team to see if it's related.

The other post I've been working on is:
http://answers.splunk.com/answers/120603/cron-expression-in-splunk.html

I'll report back with any info I find.
Thanks,
frobinson

0 Karma
Reply

somesoni2
Revered Legend
‎03-16-2015 01:53 PM

What version of Splunk you're using? Tested the same on 6.2.1 and your cron worked fine "*/15 0-2,4-23 * * *"

  1. From Settings->Searches, reports and alerts
  2. Go to App -> Searches Navigation Menu-> Edit ->Schedule
  3. Go to App -> Alerts Navigation Menu -> Edit ->Schedule
0 Karma
Reply

SplunkShawnCt
Explorer
‎03-24-2015 07:56 AM

Version 6.1.2

Editing the Schedule from Settings -> Searches, reports and alerts works fine for me.

The problem only occurs in the Search & Reporting app when using either the Alerts or Reports tab.

0 Karma
Reply

ppablo
Retired
‎03-16-2015 10:02 AM

Hi @SplunkShawnCt

Would you be able to provide a link to the image hosted on another site? A lot of other users do that instead of uploading it directly on here. Also, are you referring to the Search and Reporting App when you say "Splunk App"?

0 Karma
Reply

SplunkShawnCt
Explorer
‎03-16-2015 01:17 PM

See attached

alt text

http://i.imgur.com/c7JQKkn.png

0 Karma
Reply

SplunkShawnCt
Explorer
‎03-16-2015 01:33 PM

Under Settings if you go to Knowledge -> Searches, reports, and alerts

And select a search there you can enter a CRON schedule that contains two ranges. If you go to the Search App and Click Alerts or Reports and try to edit a CRON Schedule there you will get the error I am talking about. Under dashboards in the search app you can again schedule things on a CRON schedule and have double ranges is valid.

By double ranges I mean two ranges seperated by a comma, (Like in the above picture for the hour field)

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...