Related Answers
Download topic as PDF
Use cron expressions for alert scheduling
You can customize alert scheduling using a time range and cron expression.
Cron expression syntax
A cron expression is a data string of five fields separated by spaces.
From left to right, the five cron fields have the following chronological value ranges:
- Minute: 0-59
- Hour: 0-23
- Day of the month: 1-31
- Month: 1-12
- Day of the week: 0-6 (where 0 = Sunday)
Commonly used cron field formats
The following cron field formats suit most use cases.
| Format | Description | Explanation of description | Hour field example | Example meaning |
|---|---|---|---|---|
N
|
One value | Only this value | 9
|
9:00 AM |
N,M
|
Multiple comma-separated values | Only the listed values | 9,15
|
9:00 AM and 3:00 PM |
I-J
|
Value range, inclusive | All values in this range, including the range start and end values | 9-17
|
9:00 AM through 5:00 PM |
*
|
Asterisk (indicates "all values") | Each value in this field | *
|
Every hour |
*/N
|
Every N value in this field | All values in this field are intervals of N | */3
|
Every 3 hours0, 3, 6, 9, 12, 15, 18, 21 |
Cron field formats for ranges and intervals
In some cases, you might want to use multiple value ranges or combine ranges and an interval in a cron expression. The following format options are available.
| Format | Description | Meaning | Hour field example | Example meaning |
|---|---|---|---|---|
I-J,K-L |
Multiple comma-separated value ranges | All values in each of these ranges, including the range start and end values | 9-12,15-17 |
9:00 AM through 12:00 PM and 3:00 PM through 5:00 PM |
I-J/N |
Range and /N interval
|
Each value in this field that is an interval of /N and is within this range
|
9-12/2 |
9:00 AM and 11:00 AM |
I-J,K-L/N |
Multiple comma-separated ranges and /N interval
|
Each value in this field that is an interval of /N and is within the specified ranges
|
9-12,15-17/2 |
9:00 AM 11:00 AM and 3:00 PM 5:00 PM |
Working with cron intervals
In cron expressions with an interval of /N, all values in the specified range that are intervals of N are used. If a number in the range is outside of the interval N, the value resets to 0.
For example, */9 * * * * means "every nine minutes". The following minute field values are used:
0, 9, 18, 27, 36, 45, 54
After 54, the value resets to 0.
Cron value ranges and intervals
When using a I-J/N range and interval format, the interval N is applied to the first number in the range.
For example, 13-36/10 in the minute field results in the following values used:
13, 23, 33
Example expressions
Here are some example cron expressions.
*/5 * * * * Every 5 minutes. */30 * * * * Every 30 minutes. 0 */12 * * * Every 12 hours, on the hour. */20 * * * 1-5 Every 20 minutes, Monday through Friday. 0 9 1-7 * * The first 7 days of every month at 9 AM.
|
PREVIOUS Create scheduled alerts |
NEXT Alert scheduling tips |
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0
Comments
I need a query for Daniel service of attack in Splunk
Is there a chance that it will be possible in the future to append more than one cronjob to one alert?
Hi Neeharikas, the user community at https://answers.splunk.com might be able to help with your question if you provide more information about your specific situation and what you'd like to accomplish.