Splunk® Enterprise

Alerting Manual

Download manual as PDF

Splunk Enterprise version 7.1 will no longer be supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Download topic as PDF

Use cron expressions for alert scheduling

You can customize alert scheduling using a time range and cron expression. The Splunk cron analyzer defaults to the timezone where the search head is configured. This can be verified or changed by going to Settings > Searches, reports, and alerts > Scheduled time.

Cron expression syntax

A cron expression is a data string of five fields separated by spaces.

From left to right, the five cron fields have the following chronological value ranges:

  • Minute: 0-59
  • Hour: 0-23
  • Day of the month: 1-31
  • Month: 1-12
  • Day of the week: 0-6 (where 0 = Sunday)

Commonly used cron field formats

The following cron field formats suit most use cases.

Format Description Explanation of description Hour field example Example meaning
N One value Only this value 9 9:00 AM
N,M Multiple comma-separated values Only the listed values 9,15 9:00 AM and
3:00 PM
I-J Value range, inclusive All values in this range, including the range start and end values 9-17 9:00 AM through 5:00 PM
* Asterisk (indicates "all values") Each value in this field * Every hour
*/N Every N value in this field All values in this field are intervals of N */3 Every 3 hours
 0, 3, 6, 9, 12, 15, 18, 21

Cron field formats for ranges and intervals

In some cases, you might want to use multiple value ranges or combine ranges and an interval in a cron expression. The following format options are available.

Format Description Meaning Hour field example Example meaning 
I-J,K-L
 Multiple comma-separated value ranges All values in each of these ranges, including the range start and end values. For example: 
9-12,15-17
Would look like * 9-12,15-17 * * * 		An alert would run at every minute from 9:00 AM through 12:00 PM
and
3:00 PM through 5:00 PM. 
I-J/N
 Range and /N interval Each value in this field that is an interval of /N and is within this range For example: N=2 
9-12/2

This would look like * 9-12/2 * * * 		An alert would be sent every minute past every 2nd hour from 9:00 AM through 12:00 PM 
I-J/N,K-L/N
 Multiple comma-separated ranges and /N interval Each value in this field that is an interval of /N and is within the specified ranges For example: N = 1 
9-12/1,15-17/1

This would look like * 9-12/1,15-17/1 * * * 		An alert would run every minute of every hour from 9:00 AM through 12:00 PM and every minute of every hour from 3:00 PM through 5:00 PM.

Working with cron intervals

In cron expressions with an interval of /N, all values in the specified range that are intervals of N are used. If a number in the range is outside of the interval N, the value resets to 0.

For example, */9 * * * * means "every nine minutes" starting with minute 0 within an hour. The following minute field values are used:

9, 18, 27, 36, 45, 54

After 54, the value resets to 0.

This syntax isn't compatible with every system

Cron value ranges and intervals
When using a I-J/N range and interval format, the interval N is applied to the first number in the range.

For example, 13-36/10 in the minute field results in the following values used:

13, 23, 33

Example expressions

Here are some example cron expressions. 

5 9 * * *       At 9:05 every day.
30 * * * *      At minute 30 of every hour. For example, if you set this CRON job at 11:02, your job will begin running at 11:30, 12:30, 1:30, etc...
* 1 * * *          Every first minute of hour 1. For example: 1:01, 1:02,...,1:59.
0 12 * * *       At 12 PM every day, on the hour. 
*/20 * * * 1-5    At every 20 minutes of every hour, beginning at minute zero, Monday through Friday. For example: 11:20, 11:40, 12:00...
0 9 1-7 * *     The first 7 days of every month at 9 AM.
Last modified on 09 September, 2020
PREVIOUS
Create scheduled alerts 		  NEXT
Alert scheduling tips

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters