Reporting

How to get the next run of a scheduled search and display in a dashboard?

akarivaratharaj
Communicator

I have created a dashboard to show the execution history of scheduled jobs which had ran. I used the logs from "index=_internal sourcetype=scheduler".

This gives me the past run of all the scheduled searches with their respective details like owner, status, app, etc., Similarly I need to display the next scheduled run of the same jobs in a dashboard.

Could someone help me on this please?

Labels (2)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

You can get this information by REST api. Please try the next (needs that you have access to REST api).

| rest /services/saved/searches 
| where is_scheduled=1

r. Ismo 

View solution in original post

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @akarivaratharaj 

Try following search in UI you will get many fields in return, next_scheduled_time field fulfil your need. Results output would depends on your role access.

| rest "/services/saved/searches" | table title next_scheduled_time

Refer API doc for other fields - Search endpoint descriptions - Splunk Documentation

 how to use rest command - https://docs.splunk.com/Documentation/Splunk/8.2.0/SearchReference/Rest

----

An upvote would be appreciated if it helps!

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

You can get this information by REST api. Please try the next (needs that you have access to REST api).

| rest /services/saved/searches 
| where is_scheduled=1

r. Ismo 

0 Karma

akarivaratharaj
Communicator

Yes I tried as below

| rest /services/saved/searches
| where is_scheduled=1
| table title next_scheduled_time

This is giving me the upcoming run time of my scheduled jobs. 
But my complete requirement is I need some of the details of the job like last run time, status of the run, duration of the run, result count. In addition to this I need the Next run time of the same job.

Currently I am using the below query

index=_internal sourcetype=scheduler status=* 
| table user app savedsearch_name scheduled_time status run_time result_count
|rename user as Owner, app as App, savedsearch_name as "Search Name", status as Status, scheduled_time as "Last run time", run_time as Duration, result_count as "Result Count"

This gives all the expected metric details. But these data like duration, status, result count, etc., I won't get from REST API query.

0 Karma

akarivaratharaj
Communicator

Now I used "join" command to combine the results of these two different queries. I am getting the expected output.

If there is any other way to achieve all the required details please let me know.

0 Karma

isoutamo
SplunkTrust
SplunkTrust
That's the way how you need to do it. Schedules etc. by REST and statistics from _audit. If I recall right you could get some statistics also by REST (different endpoint), but not all what are in _audit.
r. Ismo
0 Karma
Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...