Reporting

How to get the next run of a scheduled search and display in a dashboard?

akarivaratharaj
Communicator

I have created a dashboard to show the execution history of scheduled jobs which had ran. I used the logs from "index=_internal sourcetype=scheduler".

This gives me the past run of all the scheduled searches with their respective details like owner, status, app, etc., Similarly I need to display the next scheduled run of the same jobs in a dashboard.

Could someone help me on this please?

Labels (2)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

You can get this information by REST api. Please try the next (needs that you have access to REST api).

| rest /services/saved/searches 
| where is_scheduled=1

r. Ismo 

View solution in original post

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @akarivaratharaj 

Try following search in UI you will get many fields in return, next_scheduled_time field fulfil your need. Results output would depends on your role access.

| rest "/services/saved/searches" | table title next_scheduled_time

Refer API doc for other fields - Search endpoint descriptions - Splunk Documentation

 how to use rest command - https://docs.splunk.com/Documentation/Splunk/8.2.0/SearchReference/Rest

----

An upvote would be appreciated if it helps!

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

You can get this information by REST api. Please try the next (needs that you have access to REST api).

| rest /services/saved/searches 
| where is_scheduled=1

r. Ismo 

0 Karma

akarivaratharaj
Communicator

Yes I tried as below

| rest /services/saved/searches
| where is_scheduled=1
| table title next_scheduled_time

This is giving me the upcoming run time of my scheduled jobs. 
But my complete requirement is I need some of the details of the job like last run time, status of the run, duration of the run, result count. In addition to this I need the Next run time of the same job.

Currently I am using the below query

index=_internal sourcetype=scheduler status=* 
| table user app savedsearch_name scheduled_time status run_time result_count
|rename user as Owner, app as App, savedsearch_name as "Search Name", status as Status, scheduled_time as "Last run time", run_time as Duration, result_count as "Result Count"

This gives all the expected metric details. But these data like duration, status, result count, etc., I won't get from REST API query.

0 Karma

akarivaratharaj
Communicator

Now I used "join" command to combine the results of these two different queries. I am getting the expected output.

If there is any other way to achieve all the required details please let me know.

0 Karma

isoutamo
SplunkTrust
SplunkTrust
That's the way how you need to do it. Schedules etc. by REST and statistics from _audit. If I recall right you could get some statistics also by REST (different endpoint), but not all what are in _audit.
r. Ismo
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...