Reporting

Set Specific Start Time For Scheduled Search

IRHM73
Motivator

Hi, I wonder if someone could help me please.

I'm creating a scheduled search which will run every day with the following advanced time ranges:

Start date = -1d@d
Latest date = @d

The problem I have is that I want to set the scheduled search to start running on specific date then continue with the schedule.

I've been into the "Advanced edit" and changed the "next_scheduled_time" to show the date I'd like it start on i.e. 09 July, but this doesn't change the date when I look at the report in the list.

Could anyone perhaps point out where I've gone wrong please?

Many thanks and kind regards

Chris

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi IRHM73,
please some additional information:
do you want to schedule your search to a specific date (e.g. 08/07/2017), or to a fixed day of the week (e.g. every friday) or e.g. every hour from a specific date?
About scheduler see https://en.wikipedia.org/wiki/Cron or http://www.quartz-scheduler.org/documentation/quartz-2.x/tutorials/crontrigger.html

  • in the first case schedule your crontab in the week of your date and set your scheduler to 0 0 * * 7 and disable scheduler before the second run
  • in the second case schedule your crontab in the week of your date and set your scheduler to 0 0 * * 7
  • if instead your want to schedule e.g. every hour from a starting date, set your scheduler to 0 * * * * in the hour before the first wanted run.

Bye.
Giuseppe

View solution in original post

0 Karma

IRHM73
Motivator

Hi @cusello, yes you're right, thank you for the guidance.

Kind Regards

Chris

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi IRHM73,
please some additional information:
do you want to schedule your search to a specific date (e.g. 08/07/2017), or to a fixed day of the week (e.g. every friday) or e.g. every hour from a specific date?
About scheduler see https://en.wikipedia.org/wiki/Cron or http://www.quartz-scheduler.org/documentation/quartz-2.x/tutorials/crontrigger.html

  • in the first case schedule your crontab in the week of your date and set your scheduler to 0 0 * * 7 and disable scheduler before the second run
  • in the second case schedule your crontab in the week of your date and set your scheduler to 0 0 * * 7
  • if instead your want to schedule e.g. every hour from a starting date, set your scheduler to 0 * * * * in the hour before the first wanted run.

Bye.
Giuseppe

0 Karma

IRHM73
Motivator

Hi @cusello, I'm sorry for not providing enough information.

I have a report which will update a Summary index which I've scheduled as 'one -off' job to extract data from 01/03/17 to 07/07/17.

I then want to run the job I raised my question about to extract data for the previous 24 hours, so I will want to run this on the 09 July to extract data from the previous day and to continue doing this each day.

I hope this helps

Many thanks

Chris

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi IRHM73,,
I had this problem configuring BlueCoat Proxies App:

At first you can schedule your search to run once for the previous seven days five minutes after using as time period ealiest=-7d@d latest=@d:
e,g, if yout time is 9.30, schedule your report 35 9 * * * using as time period ealiest=-7d@d latest=@d.

After the end of your execution, schedule your search to run every day (e.g. at 7.00) 0 7 * * * using as time period ealiest=-d@d latest=@d.

Bye.
Giuseppe

0 Karma

IRHM73
Motivator

Hi @cusello, thank you for coming back to me with this.

So I take it by this, there is not way to set a future date, and should be set as two separate jobs setting the second when the first has run?

Many thanks

Chris

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi IRHM73,
I don't know but why you need to schedule two separate jobs?
As described you can schedule the first one shot job near-immediately (e.g. 5 minutes after your present time) so you can immediately check results and after job end schedule the daily run.

I did it and I obtained my goal!

Eventually, you could schedule also an alert to know if there were some problems in daily job execution to manually repeat the failed ones.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...