I'm trying to understand how Splunk apps that interface with other systems via an API get their API calls scheduled. I'm not a Splunk app developer - just an admin curious about how the apps loaded on my Splunk environment work. When you install and configure an app that has a polling interval configured within it, how does Splunk normally control the periodic execution of that API call? Does it use the Splunk scheduler, or does each app have to write some kind of cron service or compute a pause interval between each invocation of the API?
Seems to me like the scheduler would be the obvious choice, but I can't find anything in the Splunk documentation to tell me for certain that the scheduler is used for apps to periodically call polled features.
@dkmcclory- There are 2 generic ways Splunk App developer uses to schedule things:
Input is usually used when you would like to collect data on scheduled basis.
For other use-cases you can use Scheduled Report or Alert. And you can schedule alert and report with a Cron Job.
Reference for custom Splunk command:
I hope this helps!!! Please upvote if it does!!!
I've read the documentation for how to accept input for things like "Interval" (typically in seconds) which I think is your point #1. That explains how to get the settings configured, but not how to actually achieve the scheduled interval when running your API calls.
As for alerts and scheduled reports - it seems like what you are saying is one approach is to write some code that will generate custom SPL functions that will call your API, then use the normal search scheduler to make that custom function run on a regular basis. That sounds oddly difficult - is that a common approach that technical app developers use for scheduling their API calls?
@dkmcclory- It depends on what your API call does.
If your API call collects data and ingest into Splunk, then use Input
else use scheduled alert/report.