https://community.splunk.com/t5/Alerting/How-to-re-run-a-scheduled-correlation-search-after-planned/m-p/333417#M10905 <P>You can use the curl command to trigger the searches from back-end without changing its properties.<BR /> eg. curl -k -u username:Password <A href="https://localhost:9086/services/saved/searches/testkamal2/reschedule">https://localhost:9086/services/saved/searches/testkamal2/reschedule</A> -X POST </P> <P>This will immediately trigger your search. You can write a script to trigger the queries one by one every few mins.</P> Wed, 07 Mar 2018 21:16:03 GMT kamal_jagga 2018-03-07T21:16:03Z https://community.splunk.com/t5/Alerting/How-to-re-run-a-scheduled-correlation-search-after-planned/m-p/333416#M10904 <P>Where there is a planned scheduled outage of a network device, which will effectively kill many of the feeds due to come into splunk, what would be the best approach to re-running correlation searches on the missing feeds once connection has been restored?</P> Wed, 07 Mar 2018 11:24:08 GMT https://community.splunk.com/t5/Alerting/How-to-re-run-a-scheduled-correlation-search-after-planned/m-p/333416#M10904 sheamus69 2018-03-07T11:24:08Z https://community.splunk.com/t5/Alerting/How-to-re-run-a-scheduled-correlation-search-after-planned/m-p/333417#M10905 <P>You can use the curl command to trigger the searches from back-end without changing its properties.<BR /> eg. curl -k -u username:Password <A href="https://localhost:9086/services/saved/searches/testkamal2/reschedule">https://localhost:9086/services/saved/searches/testkamal2/reschedule</A> -X POST </P> <P>This will immediately trigger your search. You can write a script to trigger the queries one by one every few mins.</P> Wed, 07 Mar 2018 21:16:03 GMT https://community.splunk.com/t5/Alerting/How-to-re-run-a-scheduled-correlation-search-after-planned/m-p/333417#M10905 kamal_jagga 2018-03-07T21:16:03Z https://community.splunk.com/t5/Alerting/How-to-re-run-a-scheduled-correlation-search-after-planned/m-p/333418#M10906 <P>How would this work for effectively looking at the missed data from the restored feed? Surely that command would only run the search now, not step back through the data? Or am I missing something obvious (admittedly, highly likely)?</P> Thu, 08 Mar 2018 09:33:34 GMT https://community.splunk.com/t5/Alerting/How-to-re-run-a-scheduled-correlation-search-after-planned/m-p/333418#M10906 sheamus69 2018-03-08T09:33:34Z https://community.splunk.com/t5/Alerting/How-to-re-run-a-scheduled-correlation-search-after-planned/m-p/333419#M10907 <P>Just did a little reading into this approach, and I think you are right, as shown in the example from the <A href="http://docs.splunk.com/Documentation/Splunk/7.0.2/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D.2Freschedule">rest api</A> page:</P> <P>curl -k -u admin:pass <A href="https://localhost:8089/services/saved/searches/Purchased%20products%2C%20last%2024%20hours/reschedule">https://localhost:8089/services/saved/searches/Purchased%20products%2C%20last%2024%20hours/reschedule</A> -d schedule_time=2012-08-15T14:11:01Z</P> Thu, 08 Mar 2018 10:06:45 GMT https://community.splunk.com/t5/Alerting/How-to-re-run-a-scheduled-correlation-search-after-planned/m-p/333419#M10907 sheamus69 2018-03-08T10:06:45Z https://community.splunk.com/t5/Alerting/How-to-re-run-a-scheduled-correlation-search-after-planned/m-p/333420#M10908 <P>Aren't correlation searches real time searches that run based on index time, rather than event time?</P> Thu, 08 Mar 2018 12:16:57 GMT https://community.splunk.com/t5/Alerting/How-to-re-run-a-scheduled-correlation-search-after-planned/m-p/333420#M10908 FrankVl 2018-03-08T12:16:57Z https://community.splunk.com/t5/Alerting/How-to-re-run-a-scheduled-correlation-search-after-planned/m-p/333421#M10909 <P>Nope, they run at scheduled intervals, and if the event feed is delayed, things can be missed.</P> Thu, 08 Mar 2018 14:27:06 GMT https://community.splunk.com/t5/Alerting/How-to-re-run-a-scheduled-correlation-search-after-planned/m-p/333421#M10909 sheamus69 2018-03-08T14:27:06Z