topic Re: How to determine whether a saved search was run on its cron schedule, or not? in Alerting

How to determine whether a saved search was run on its cron schedule, or not?

adamsmith47 — Tue, 30 Apr 2019 18:47:28 GMT

In a report I'm building, I'm using the | map command to send emails to many recipients, each with their own custom view of data. A problem I've run into while editing the search is, I do not want to accidentally send many erroneous reports via email if I run the search while testing/editing, or even accidentally opening the search. I've come up with a rough solution, but, am wondering if someone has a better idea.

Basically I've created a macro that:
1) uses | rest to check the cron the search is scheduled for,
2) guesses at the epoch time cron_guess the search would have run at today (this logic breaks if the cron doesn't follow MM HH * * * format, e.g. 0,15,30,45 12 * * * breaks my logic)
3) checks to see if cron_guess = now()

After that, I use ranOnCron=1 to set the real email addresses, or ranOnCron=0 to set email addresses to my test account, preventing any "true" emails from going out.

This works for my purposes, but, I'd love a more robust solution if anyone knows of something. Accidentally sending hundreds of emails to hundreds of people with garbage data isn't fun.

Thanks!

[ranOnCron(3)]
args = NS_user, NS_app, saved_search
definition = eval ranOnCron=
    [| rest splunk_server=local /servicesNS/$NS_user$/$NS_app$/saved/searches
    | search title="$saved_search$"
    | rex field=cron_schedule "^(?<cron_min>\d+)\s+(?<cron_hour>\d+)\s+"
    | eval cron_guess=floor(relative_time(now(), "@d"))+tonumber(cron_min)*60+tonumber(cron_hour)*60*60
    | eval runOnCron_sec_min_hour=if(cron_guess==now(), 1, 0)
    | return $runOnCron_sec_min_hour]

Re: How to determine whether a saved search was run on its cron schedule, or not?

codebuilder — Tue, 30 Apr 2019 18:56:43 GMT

Why not just clone your report, disable notifications, and use that as your working copy.
Then after validation, move your changes up to the published version.

Re: How to determine whether a saved search was run on its cron schedule, or not?

adamsmith47 — Tue, 30 Apr 2019 19:04:18 GMT

That doesn't prevent accidents. I suppose accidents are always possible, but I'm sure you can see it'd be very easy for someone to OPEN the search, instead of click Edit to clone it... sending out hundreds of unexpected emails. Or one power user clicks on a saved search another power user created, sending out hundreds of unexpected emails.

I'm looking for a technical solution to reduce extremely visible errors, in addition to trying to be careful.

Re: How to determine whether a saved search was run on its cron schedule, or not?

codebuilder — Tue, 30 Apr 2019 19:22:33 GMT

Sounds like you need an isolated development environment or more strict control of your users/roles.

Re: How to determine whether a saved search was run on its cron schedule, or not?

adamsmith47 — Tue, 30 Apr 2019 19:33:24 GMT

Yeah, life sucks.

Anything else?

Re: How to determine whether a saved search was run on its cron schedule, or not?

adamsmith47 — Fri, 03 May 2019 13:33:47 GMT

Just re-reading my post, and to clarify what I have in mind, I'm looking for probably a | rest command and logic to determine whether the search was run by the scheduler, or if it were run manually.

Thanks again.