All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

report index frequency

akshaykaul
Explorer
‎08-21-2019 08:58 PM

I am finally able to configure and get the data indexed into splunk via the salesforce report app,
I am just willing to understand what actually triggers the report to be indexed?
CUrrently I am only able to get it to index when i disable/enable the Input on the app.
Have tried running the report in salesforce but this does not get the data / report indexed.

any insight please?

thank you

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

edavison
Explorer
‎08-22-2019 05:52 AM

The saved report is indexed at the interval (in seconds) configured in the input. I believe the default is once every 24hrs (86,400sec). The saved report does not have to be scheduled in Salesforce as the input requests a new export at each interval. It is advised you coordinate/synchronize this to align with the time window (if applicable) configured in your stored Salesforce report.

Keep in mind, some reports can take awhile for Salesforce to generate and return the data so your interval must allow for it complete and complete indexing before executing again. Also, running too frequently may cause data overlap or other undesired impacts.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

akshaykaul
Explorer
‎08-22-2019 02:43 PM

Hi ,
Can i ask about the purge option. Does it apply to KV store only.?
If i am just indexing the report (no Kv store) ; in that case are the already indexed records purged on every interval?

0 Karma
Reply
Solved! Jump to solution

akshaykaul
Explorer
‎08-22-2019 02:20 PM

@edavison
Thank you for your reply. yes i soon realised the interval setting after posting this question. 🙂
good to know that it actually trigger a report to run on the interval and pull a fresh extract in which can yes there is no need to schedule.
I was goin to shedule the report run just before interval but i guess dont need that now.
Cheers..

0 Karma
Reply
Solved! Jump to solution
Solution

edavison
Explorer
‎08-22-2019 05:52 AM

The saved report is indexed at the interval (in seconds) configured in the input. I believe the default is once every 24hrs (86,400sec). The saved report does not have to be scheduled in Salesforce as the input requests a new export at each interval. It is advised you coordinate/synchronize this to align with the time window (if applicable) configured in your stored Salesforce report.

Keep in mind, some reports can take awhile for Salesforce to generate and return the data so your interval must allow for it complete and complete indexing before executing again. Also, running too frequently may cause data overlap or other undesired impacts.

0 Karma
Reply
Solved! Jump to solution

akshaykaul
Explorer
‎08-21-2019 08:59 PM

https://splunkbase.splunk.com/app/3567/

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...