Reporting

Why am I unable to create scheduled reports after switching to Splunk free?

paledal
Engager

In Splunk Docs, I read the following article, which you can find here: http://docs.splunk.com/Documentation/Splunk/7.1.3/Admin/MoreaboutSplunkFree

The doc says this: "Any alerts you have defined will no longer trigger. You will no longer receive alerts from Splunk software. You can still schedule searches to run for dashboards and summary indexing purposes."

But after switching to Splunk Free, reports are no longer generated and I can no longer find where to edit scheduled reports in the GUI.
Is the documentation wrong or am i looking in the wrong place?

lwest_splunk
Splunk Employee
Splunk Employee

A bit late to the party on this one, but came across your question as I am researching a different issue for another Splunk customer.

Per our documentation at the following link:

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/MoreaboutSplunkFree

Splunk Enterprise Trial gives you access to a number of features that are not available in Splunk Free. When you switch, be aware of the following:

User accounts or roles that you created no longer work.

Anyone connecting to the instance will automatically be logged on as admin. You will no longer see a login screen, though you will see the update check occur.

Any knowledge objects created by any user other than admin (such as event type, transaction, or source type definitions) and not already globally shared will not be available. If you need these knowledge objects to continue to be available after you switch to Splunk Free, you can do one of the following:

Use Splunk Web to promote them to be globally available before you switch. See Manage app and add-on objects.

Hand edit the configuration files they are in to promote them. See App architecture and object ownership.

Any alerts you defined no longer trigger. You no longer receive alerts from Splunk software. You can still schedule searches to run for dashboards and summary indexing purposes.

Configurations in outputs.conf to forward to third-party applications in TCP or HTTP formats do not work.

Of particular note for the behavior you have described, the line about "Any alerts you defined no longer trigger.", Splunk's free offering does not allow for the scheduling/running/use of the reports feature.

ptricoli
Engager

In my case, I had a scheduled dashboard with date range of the past 7 days but after converting to free the date range seems to have converted to [12/31/69 7:00:01.000 PM to 12/31/69 7:00:02.000 PM] as per the view recent tabs. I cannot seem to change that back to the past 7 days.

0 Karma

ssadanala1
Contributor

Navigate in GUI through this path to access reports

settings --> searches and reports --> search for your report --> Click on Edit --> Make changes you wish to

when you are saying report not generated does it have any alert action associated with it ?

paledal
Engager

Thank you,
settings->"searches and reports" works perfectly.
its only reports->edit that is no longer available

And all my previously scheduled jobs where set to is scheduled=false when i downgraded

Although after i have made an advanced edit and added cron schedule and enable schedule it is no longer possible to do things on the report other then (move, delete, run and view recent) also the name is not clickable

0 Karma

damiensurat
Contributor

Silly question, but have you surpassed your license of 500 mb a day? And is this a stand alone instance?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...