Splunk® Enterprise

Alerting Manual

Download manual as PDF

Download topic as PDF

Use cron expressions for scheduling

Customize alert scheduling using a time range and cron expression.

Cron expression syntax

A cron expression comprises five fields separated by spaces.

From left to right, the five cron fields have the following chronological value ranges.

  • Minute(s): 0–59.
  • Hour(s): 0–23.
  • Day(s) of month: 1–31.
  • Month(s): 1–12.
  • Day(s) of week: 0–6 (where 0 = Sunday).

Commonly used cron field formats

The following cron field formats suit most use cases.

Format Description Meaning Hour field example Example meaning
N One value Only this value 9 9:00 A.M.
N,M Multiple comma-separated values Only the listed values 9,15 9:00 A.M.
3:00 P.M.
I–J Value range, inclusive All values in this range, including the range start and end values 9-17 9:00 A.M. through 5:00 P.M.
* Asterisk (indicates "all values") Each value in this field * Every hour
*/N Every N values in this field All values in this field that divide evenly by this divisor */3 Every 3 hours
 0, 3, 6, 9, 12, 15, 18, 21 

Additional cron field formats for ranges and divisors

In some cases, you might want to use multiple value ranges or combine ranges and a divisor in a cron expression. The following format options are available.

Format Description Meaning Hour field example Example meaning
I–J,K–L
Multiple comma-separated value ranges All values in each of these ranges, including the range start and end values
9–12,15–17
9:00 A.M. through 12:00 P.M.

3:00 P.M. through 5:00 P.M.
I–J/N
Range and /N divisor Each value in this field that divides evenly by this divisor and is within this range
9–12/2
10:00 A.M.
12:00 P.M
I–J,K–L/N
Multiple comma-separated ranges and /N divisor Each value in this field that divides evenly by this divisor and is within the specified ranges
9–12,15–17/2
10:00 A.M.
12:00 P.M.
4:00 P.M.

Working with cron divisors

In cron expressions with an /N divisor, only values in the field that can divide evenly by the N divisor are used. If a remainder smaller than N is left in the field, the value resets to 0.

For example, */9 * * * * means "every nine minutes." The following minutes field values are used.

0, 9, 18, 27, 36, 45, 54

After 54, the value resets to 0. The division by N does not wrap into the next 60 minutes and yield 3.


Cron value ranges and divisors
When using a I–J/N range and divisor format, the divisor N is applied to the field first. It is limited to the range second.

The first field value used is the first value that can be divided evenly by the N divisor and is within the specified range.

For example, 13-46/10 in the minutes field results in the following values used.

20, 30, 40

Note that the used values do not start at 13. Instead, they start at 20 because 20 is the first value that can be divided evenly by 10 and is within the 13-46 range.

Example expressions

Here are some example cron expressions.

*/5 * * * *       Every 5 minutes.
*/30 * * * *      Every 30 minutes.
0 */12 * * *      Every 12 hours, on the hour.
*/20  * * * 1-5   Every 20 minutes, Monday through Friday.
0 9 1-7 * 1       First Monday of each month, at 9am.
PREVIOUS
Create scheduled alerts
  NEXT
Alert scheduling tips

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters