In an organization there can be patching activities happening over occasional basis. Let’s have a scenario in which patching activity is planned on Sunday from 12am to 8am. There may be few alerts which are crucial for the organization and it is scheduled for every hour throughout the day. But during patching it might need to be stopped or else it may account a false result. So to avoid this kind of scenario, we can just clone the original alerts for two different times and disable the original alert for time being.
Before we move on lets understand some basics about Cron.
Cron Schedule: The software utility cron is a time-based job scheduler. Cron schedule is used for jobs to run periodically at fixed time, date or interval.
Cron Schedule in Splunk: Cron schedule is used for scheduling a knowledge objects (like Dashboard, Reports and Alerts). It is mostly used for Alerts and Reports.
Cron Expression syntax in Splunk:-
Note: “Cron expression is a data string of five fields separated by spaces.”
From left to right, the five Cron fields have the following chronological value ranges:
- Minute: 0-59
- Hour: 0-23
- Day of the month: 1-31
- Month: 1-12
- Day of the week: 0-6 (where 0 = Sunday)
Example expressions:
|
Cron Expressions
|
Meaning of the Expressions
|
|
*/5 * * * *
|
Every 5 minutes
|
|
30 * * * *
|
At minute 30
|
|
1-20 * * * *
|
Every minute from 1 through 20.
|
|
0 */12 * * *
|
Every 12 hours, on the hour.
|
|
* 12 * * *
|
Every minute past hour 12.
|
|
* 1-10 * * *
|
Every minute past every hour from 1 through 10
|
|
*/20 * * * 1-5
|
Every 20 minutes, Monday through Friday
|
|
* 1-10 * * 0
|
Every minute past every hour from 1 through 10 on Sunday
|
|
0 9 1-7 * *
|
The first 7 days of every month at 9 AM
|
|
* 1-10 * 1-8 0
|
At every minute past every hour from 1 through 10 on Sunday in every month from January through August.
|
|
Format
|
Description
|
Explanation of description
|
|
N
|
One value
|
Only this value(eg: 10:00 am)
|
|
N,M
|
Multiple comma-separated values
|
Only the listed values(eg:10,13 i.e 10:00am and 1:00pm)
|
|
I-J
|
Value range, inclusive
|
All values in this range, including the range start and end values(eg:10-13 i.e 10:00am through 1:00pm)
|
|
*
|
Asterisk (indicates “all values”)
|
Each value in this field
|
|
*/N
|
Every N value in this field
|
All values in this field are intervals of N(eg: */4 i.e Every 4 hours like 0,4,8,12)
|
Note: If we want to use the range value we can’t use it in the format : “*/10-*/12 * * * *” We have to use it in the format: “10-12 * * * *”
Now let’s take an example to use Cron system as a workaround for patching kind of scenario.
Assume an Alert name as test_alert(original alert)
Now we have to clone the alerts two times:
• When we clone it 1st time (it will run for mon-sat every hour): In cron schedule we just have to mention cron expression “* */1 * * 1-6”
• When we clone it for 2nd time (for Sunday): In cron schedule we have to mention cron expression”* 8-23 * * 0” (patching is going on 12am to 8am so that time alert will be disable).
If you are still facing issue regarding Cron Schedule in Splunk Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on 👍 Social Networks, happy Splunking >😉
