In a report I'm building, I'm using the | map command to send emails to many recipients, each with their own custom view of data. A problem I've run into while editing the search is, I do not want to accidentally send many erroneous reports via email if I run the search while testing/editing, or even accidentally opening the search. I've come up with a rough solution, but, am wondering if someone has a better idea.

Basically I've created a macro that:
1) uses | rest to check the cron the search is scheduled for,
2) guesses at the epoch time cron_guess the search would have run at today (this logic breaks if the cron doesn't follow MM HH * * * format, e.g. 0,15,30,45 12 * * * breaks my logic)
3) checks to see if cron_guess = now()

After that, I use ranOnCron=1 to set the real email addresses, or ranOnCron=0 to set email addresses to my test account, preventing any "true" emails from going out.

This works for my purposes, but, I'd love a more robust solution if anyone knows of something. Accidentally sending hundreds of emails to hundreds of people with garbage data isn't fun.

Thanks!

[ranOnCron(3)]
args = NS_user, NS_app, saved_search
definition = eval ranOnCron=
    [| rest splunk_server=local /servicesNS/$NS_user$/$NS_app$/saved/searches
    | search title="$saved_search$"
    | rex field=cron_schedule "^(?<cron_min>\d+)\s+(?<cron_hour>\d+)\s+"
    | eval cron_guess=floor(relative_time(now(), "@d"))+tonumber(cron_min)*60+tonumber(cron_hour)*60*60
    | eval runOnCron_sec_min_hour=if(cron_guess==now(), 1, 0)
    | return $runOnCron_sec_min_hour]