scheduled task

m92 · ‎05-10-2024

Hello Splunkers,

I'd like to schedule a query twice a day. For example, one at 12:00 PM and the other at 7:00 PM, and then receive a report of each query. This would save me from having to run the query each time manually. Is it possible, and if so, how can I do it?

The query in question is:

(index="index1" Users=* IP=*) OR (index="index2" tag=1)
| where NOT match(Users, "^AAA-[0-9]{5}\$")
| where NOT match(Users, "^AAA[A-Z0-9]{10}\$")
| eval ip=coalesce(IP, srcip)
| stats
dc(index) AS index_count
values(Users) AS Users
values(destip) AS destip
values(service) AS service
earliest(_time) AS earliest
latest(_time) AS latest
BY ip
| where index_count>1
| eval
earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S"),
latest=strftime(latest,"%Y-%m-%d %H:%M:%S")
| table Users, ip, dest_ip, service, earliest, latest

Thanks in advance!

gcusello · ‎05-10-2024

Hi @m92,

you can schedule the runs of your alert twice in a day using cron:

0 12,19 * * *

the question is: do you want the same time period (e.g. 24 hours) on bothe the searches?

Ciao.

Giuseppe

m92 · ‎05-10-2024

I want a scheduled task to run the query and save it twice a day, every day.

gcusello · ‎05-10-2024

Hi @m92,

using the above cron, you run your scheduled search at 12:00 and 19:00.

Ciao.

Giuseppe

scheduled task

scheduled search

Thanks for the Memories! Splunk University, .conf24, and Community Connections

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...