Reporting

Running mulitple reports with a certain time gap

Communicator

Hi everyone,

I have 3 reports dependent on the outcome of each other
The 1st report generates a FirstReportOutputcsv, which is the input for the Second report
The 2nd report generates a SecondReportOutputcsv, which is the input for the Third report.
The 2nd report generates a ThirdReportOutputcsv, which is the final output.

As of now, I have scheduled these reports at a certain time every day.

Is it possible to run all 3 reports from the search head with a time gap of 5 minutes?

Thanks a lot in advance.

0 Karma

Communicator

You can do that!! But you need to be mindful of the duration the earlier searches takes. There will be always an issue if the first search takes more than 5 minutes (due to some issues) and that hinders the second searches output. Having a safe gap b/w the searches will help you in this case

Communicator

Ok, That's a good point. However, do you know, how can we run multiple reports /Queries from the search head with a certain time gap duration. Is there any example available.

0 Karma

Communicator

I am not exactly sure about your ask!!
If you are asking how to schedule the reports:
You can schedule each report with a cron scheduler, and give a timegap of 5/10 minutes
report 1 ... 5,20,35,50 * * * *
report 2 .... 10,25,40,55 * * * *
report 3 .... 15,30,45,00 * * * *

Please adjust the cron scheduler according to your needs.

http://docs.splunk.com/Documentation/Splunk/latest/Report/Schedulereports#Schedule_reports_in_Settin...

0 Karma

Communicator

I already scheduled them in reporting with cron schedule 20 */3 * * 1-5 , 25 */3 * * 1-5 and 30 */3 * * 1-5.

What I need to know is that if we can run multiple reports from a single Search head (As a single query) with a defined time gap in between.

0 Karma