Reporting

scheduled task

m92
Loves-to-Learn Lots

Hello Splunkers,

I'd like to schedule a query twice a day. For example, one at 12:00 PM and the other at 7:00 PM, and then receive a report of each query. This would save me from having to run the query each time manually. Is it possible, and if so, how can I do it?

The query in question is:

(index="index1" Users=* IP=*) OR (index="index2" tag=1)
| where NOT match(Users, "^AAA-[0-9]{5}\$")
| where NOT match(Users, "^AAA[A-Z0-9]{10}\$")
| eval ip=coalesce(IP, srcip)
| stats
dc(index) AS index_count
values(Users) AS Users
values(destip) AS destip
values(service) AS service
earliest(_time) AS earliest
latest(_time) AS latest
BY ip
| where index_count>1
| eval
earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S"),
latest=strftime(latest,"%Y-%m-%d %H:%M:%S")
| table Users, ip, dest_ip, service, earliest, latest


Thanks in advance!

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @m92,

you can schedule the runs of your alert twice in a day using cron:

0 12,19 * * *

the question is: do you want the same time period (e.g. 24 hours) on bothe the searches?

Ciao.

Giuseppe

0 Karma

m92
Loves-to-Learn Lots

I want a scheduled task to run the query and save it twice a day, every day.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @m92,

using the above cron, you run your scheduled search at 12:00 and 19:00.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...