Reporting

How to get the next run of a scheduled search and display in a dashboard?

akarivaratharaj
Communicator

I have created a dashboard to show the execution history of scheduled jobs which had ran. I used the logs from "index=_internal sourcetype=scheduler".

This gives me the past run of all the scheduled searches with their respective details like owner, status, app, etc., Similarly I need to display the next scheduled run of the same jobs in a dashboard.

Could someone help me on this please?

Labels (2)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

You can get this information by REST api. Please try the next (needs that you have access to REST api).

| rest /services/saved/searches 
| where is_scheduled=1

r. Ismo 

View solution in original post

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @akarivaratharaj 

Try following search in UI you will get many fields in return, next_scheduled_time field fulfil your need. Results output would depends on your role access.

| rest "/services/saved/searches" | table title next_scheduled_time

Refer API doc for other fields - Search endpoint descriptions - Splunk Documentation

 how to use rest command - https://docs.splunk.com/Documentation/Splunk/8.2.0/SearchReference/Rest

----

An upvote would be appreciated if it helps!

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

You can get this information by REST api. Please try the next (needs that you have access to REST api).

| rest /services/saved/searches 
| where is_scheduled=1

r. Ismo 

0 Karma

akarivaratharaj
Communicator

Yes I tried as below

| rest /services/saved/searches
| where is_scheduled=1
| table title next_scheduled_time

This is giving me the upcoming run time of my scheduled jobs. 
But my complete requirement is I need some of the details of the job like last run time, status of the run, duration of the run, result count. In addition to this I need the Next run time of the same job.

Currently I am using the below query

index=_internal sourcetype=scheduler status=* 
| table user app savedsearch_name scheduled_time status run_time result_count
|rename user as Owner, app as App, savedsearch_name as "Search Name", status as Status, scheduled_time as "Last run time", run_time as Duration, result_count as "Result Count"

This gives all the expected metric details. But these data like duration, status, result count, etc., I won't get from REST API query.

0 Karma

akarivaratharaj
Communicator

Now I used "join" command to combine the results of these two different queries. I am getting the expected output.

If there is any other way to achieve all the required details please let me know.

0 Karma

isoutamo
SplunkTrust
SplunkTrust
That's the way how you need to do it. Schedules etc. by REST and statistics from _audit. If I recall right you could get some statistics also by REST (different endpoint), but not all what are in _audit.
r. Ismo
0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...