Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk App Development - Scheduling API calls

dkmcclory
Explorer
‎07-11-2024 02:11 PM

I'm trying to understand how Splunk apps that interface with other systems via an API get their API calls scheduled.  I'm not a Splunk app developer - just an admin curious about how the apps loaded on my Splunk environment work.   When you install and configure an app that has a polling interval configured within it, how does Splunk normally control the periodic execution of that API call?  Does it use the Splunk scheduler, or does each app have to write some kind of cron service or compute a pause interval between each invocation of the API?

 

Seems to me like the scheduler would be the obvious choice, but I can't find anything in the Splunk documentation to tell me for certain that the scheduler is used for apps to periodically call polled features.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎07-12-2024 03:39 AM

@dkmcclory- There are 2 generic ways Splunk App developer uses to schedule things:

  1. Inputs
  2. Alerts OR Scheduled Report

 

Input is usually used when you would like to collect data on scheduled basis.

 

For other use-cases you can use Scheduled Report or Alert. And you can schedule alert and report with a Cron Job.

  • If something you do as Splunk query, then you can just write query in this alert or report.
  • If something you need custom Python code, then you can write a Python Custom command which you can call from Splunk query.

 

Reference for custom Splunk command:

 

I hope this helps!!! Please upvote if it does!!!

0 Karma
Reply

dkmcclory
Explorer
‎07-15-2024 05:08 AM

I've read the documentation for how to accept input for things like "Interval" (typically in seconds) which I think is your point #1.  That explains how to get the settings configured, but not how to actually achieve the scheduled interval when running your API calls.

As for alerts and scheduled reports - it seems like what you are saying is one approach is to write some code that will generate custom SPL functions that will call your API, then use the normal search scheduler to make that custom function run on a regular basis.  That sounds oddly difficult - is that a common approach that technical app developers use for scheduling their API calls?

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎07-16-2024 06:00 AM

@dkmcclory- It depends on what your API call does.

If your API call collects data and ingest into Splunk, then use Input

else use scheduled alert/report.

0 Karma
Reply
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...