Running mulitple reports with a certain time gap

Chandras11 · ‎08-24-2018

Hi everyone,

I have 3 reports dependent on the outcome of each other
The 1st report generates a FirstReportOutputcsv, which is the input for the Second report
The 2nd report generates a SecondReportOutputcsv, which is the input for the Third report.
The 2nd report generates a ThirdReportOutputcsv, which is the final output.

As of now, I have scheduled these reports at a certain time every day.

Is it possible to run all 3 reports from the search head with a time gap of 5 minutes?

Thanks a lot in advance.

nadlurinadluri · ‎08-24-2018

You can do that!! But you need to be mindful of the duration the earlier searches takes. There will be always an issue if the first search takes more than 5 minutes (due to some issues) and that hinders the second searches output. Having a safe gap b/w the searches will help you in this case

Chandras11 · ‎08-26-2018

Ok, That's a good point. However, do you know, how can we run multiple reports /Queries from the search head with a certain time gap duration. Is there any example available.

nadlurinadluri · ‎08-27-2018

I am not exactly sure about your ask!!
If you are asking how to schedule the reports:
You can schedule each report with a cron scheduler, and give a timegap of 5/10 minutes
report 1 ... 5,20,35,50 * * * *
report 2 .... 10,25,40,55 * * * *
report 3 .... 15,30,45,00 * * * *

Please adjust the cron scheduler according to your needs.

http://docs.splunk.com/Documentation/Splunk/latest/Report/Schedulereports#Schedule_reports_in_Settin...

Chandras11 · ‎08-28-2018

I already scheduled them in reporting with cron schedule 20 */3 * * 1-5 , 25 */3 * * 1-5 and 30 */3 * * 1-5.

What I need to know is that if we can run multiple reports from a single Search head (As a single query) with a defined time gap in between.

Running mulitple reports with a certain time gap

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!