Reporting

Is it possible to run search query as Schedule job at indexer level?

mallempatisreed
Explorer

hi All,

We have indexer cluster with 10 Idx. Is it possible to run a search query for every 15 mins with a time range of last 15 mins as a schedule job at indexer level and the results of this job into an index =result_summary.

If its possible can someone help me with the steps on how to achieve it?

Thanks,
Sree

0 Karma

adonio
Ultra Champion

not sure whether you wan the search head to search a particular indexer or the indexer to search itself. the
for an indexer to search itself, you can save a search on the indexer, will not recommend that approach.
you can specify the indexer a search head will search from by using the splunk_server field
for example, in your 10 indexers cluster, search number 7 only:
index = <your_index> sourcetype = <your_sourcetype> splunk_server = indexer_7 .... | evals and stats | ... | collect <new_summary_index ...

hope it helps

0 Karma

mallempatisreed
Explorer

Thanks Adonio!

We have a cluster of indexers of 10 Idx. Is it possible to schedule it at indexer level and it can be run on any indexers?

Thanks,
Sreedhar

0 Karma

adonio
Ultra Champion

please elaborate on your use case?
i mean yes you can login to an indexer and run a search and then save it and schedule it, it will run only on that particular indexer.
why would you like to do so? you can have the same thing done from your search head and add the filter splunk_server = <your_indexer> to your search. the search will run against that indexer only.

0 Karma

mallempatisreed
Explorer

Thanks Adonio!

What happens if my indexer 7 is down due to some unavoided scenario when the scheduled serach is supposed to run.

index = sourcetype = splunk_server = indexer_7 .... | evals and stats | ... | collect

0 Karma

adonio
Ultra Champion

if you execute the search on the seach head it will return no results with the warning that " ... peer might be "Down" ... check ... "

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...