Hello,
I'm trying to launch a report through the Search and Reporting app, but I need to insert a delay in the report execution in order to avoid missing data due to an indexing delays.
As by now, my report is scheduled as following:
I want to launch the report every day every half an hour, so I set Cron Expression-->0,30 star star star star
I want to launch the report for the last 30 minutes, so I set through Select Time Range --> Earliest 30 minutes ago (with Beginning of minute flagged) and Latest with Beginning of current second set
Example --> I want to run the report at 8 PM and consider a search window of last 30 minutes from 7:30 PM to 8:00 PM (the same at 8:30 PM, 9:00 PM 9:30 PM,....)
But, in this way, I am not counting all data/events due to an indexing delay. For this reason, I need to find a solution that:
Is there a way to satisfy my requirement?
I know that in ITSI there is the possibility to add a "Lag" to perform a search with a delay in reference to the time window of the base/ad hoc search of a Service. Is there the same functionality also in Search and reporting App?
Thanks for a feedback.
Alice
Hi @alicepessani,
I believe I understand your question to be how do you run a report delayed, but have to do what you are looking for, you should do the following:
To set the report to delay a minute to allow for your indexing delay, set your cron schedule to be something like:
1,31,*,*,*
Then for the time picker, to set the report to run for 30 minutes starting at :00 or :30, rather than selecting "Last 30 minutes" go to Advanced and set
earliest=-31m@m latest=-61m@m
(the @m anchors the selection at :00 seconds)
Make sure you set your time window to 0 to ensure the report runs on time and not in a window.
Good luck!
Hi @darrenfuller ,
thanks for your reply, but I have already discard this solution for the following reason: in this way, if I set the report with cron schedule 1,31,,,* , but then if my report will run at 20:03 for example due to the fact that other report are running in parallel and are absorbing resources my time window of search will not be from 19:30 to 20 but from 19:32 to 20:02 ( please consider that we would like to leave the choice of the window in which start the Scheduled Report to Splunk Scheduler in order to avoid skipped Searches and this is just the first of a series of report that will be scheduled)
Could you kindly suggest me a way to obtain my requirement?
Regards,
Alice