- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Re: Running mulitple reports with a certain time g...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Running mulitple reports with a certain time gap
Hi everyone,
I have 3 reports dependent on the outcome of each other
The 1st report generates a FirstReportOutputcsv, which is the input for the Second report
The 2nd report generates a SecondReportOutputcsv, which is the input for the Third report.
The 2nd report generates a ThirdReportOutputcsv, which is the final output.
As of now, I have scheduled these reports at a certain time every day.
Is it possible to run all 3 reports from the search head with a time gap of 5 minutes?
Thanks a lot in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do that!! But you need to be mindful of the duration the earlier searches takes. There will be always an issue if the first search takes more than 5 minutes (due to some issues) and that hinders the second searches output. Having a safe gap b/w the searches will help you in this case
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, That's a good point. However, do you know, how can we run multiple reports /Queries from the search head with a certain time gap duration. Is there any example available.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not exactly sure about your ask!!
If you are asking how to schedule the reports:
You can schedule each report with a cron scheduler, and give a timegap of 5/10 minutes
report 1 ... 5,20,35,50 * * * *
report 2 .... 10,25,40,55 * * * *
report 3 .... 15,30,45,00 * * * *
Please adjust the cron scheduler according to your needs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I already scheduled them in reporting with cron schedule 20 */3 * * 1-5 , 25 */3 * * 1-5 and 30 */3 * * 1-5.
What I need to know is that if we can run multiple reports from a single Search head (As a single query) with a defined time gap in between.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
