Differences between versions

7.2.1 and earlier

Splunk cron works differently than the typical Linux cron.

Linux: The third and fifth fields are ORed together.
Splunk: The third and fifth fields work together as an AND condition.

Example) 0 9 15-21 * 1

(1st field: minute, 2nd field: hour, 3rd field: day, 4th field: month, 5th field: day of the week)

• Linux:
  It will be determined to be the 15th to the 21st or Monday, and will be executed at 9 AM on the 15th to the 21st and at 9 AM every Monday.
• Splunk:
  It will be determined that the date is between the 15th and the 21st and Monday, and will be executed at 9 AM on Mondays between the 15th and the 21st.

7.2.2 and later

Splunk cron works the same way as a typical Linux cron.
Linux/Splunk: The third and fifth fields are ORed together.

Example) 0 9 15-21 * 1

(1st field: minute, 2nd field: hour, 3rd field: day, 4th field: month, 5th field: day of the week)

• Splunk, Linux:
  It will be determined to be the 5th to the 21st or Monday, and will be executed at 9 AM on the 15th to the 21st and every Monday at 9 AM.

How to execute alerts at the same timing as before 7.2.1

If the cron execution time for a scheduled alert was set to "0 9 15-21 * 1" in versions prior to 7.2.1 (7.0 series, 7.1 series), the execution time for the alert will change after upgrading to the latest version.

If you want to run the alert at 9:00 AM on Mondays from the 15th to the 21st of every month, just like before the upgrade, change the alert settings as follows.

procedure

Log in to SplunkWeb.
Go to the Settings - Search, Reports, and Alerts screen.
Open the edit screen for the target alert and add judgment conditions to the search.

<Example of change>
·search
(Existing search statement)

| eval daynum=strftime(now(),"%d"),
| eval weekday=strftime(now(),"%a"),
| eval isThirdMonday=if(weekday=="Mon" AND daynum>14 AND daynum<22,"true","false" )
| search isThirdMonday="true"