Solved: How can I Monitor Jobs only at a specific interval...

Ashwini008 · ‎03-02-2023

Hi,

I need to monitor jobs only at specific interval .From Application server we are getting only Job Name And Date of Job generated into Splunk.

For example:

Job will only run between 9:30 PM -10:30 so Splunk will have data only after 9:30 PM so up to 9:30 PM dashboard will be showing as 'Job has not run' which is incorrect. I need to check only between 9:30 PM -10:30 PM and if there is no data in Index then show as "Job has not run"

Please suggest.

ITWhisperer · ‎03-02-2023

You could force your search to only return results (if there are any) when it is between certain times

| where now()>relative_time(now(),"@d+21h+30m") AND now()<relative_time(now(),"@d+22h+30m")

View solution in original post

ITWhisperer · ‎03-02-2023

Not sure what the question is here - your search seems to append all the jobs from the csv which don't have entries in the time period of the search (although it could be optimised slightly since you are doing some date manipulation and then dropping the date field, and also filling the null dates with "N" only to replace it with "Job has not run"

index = test_job
sourcetype = test_job
| rex field=source ".*/(?<name>.*?)_(?<date>.*)\."
| eval DATE=strftime(strptime(date,"%m%d%Y_%I.%M.%S.%p"),"%m-%d-%Y %I:%M:%S %p")
| rename name as JobName
| table JobName DATE
| append
[| inputlookup job.csv
| search NOT
[ search index = test_job
sourcetype = test_job
| rex field=source ".*/(?<JobName>.*?)_.*\."
| table JobName 
| dedup JobName]]
| fillnull value="Job has not run" DATE

Is the issue that job.csv does not include the expected times which the jobs should have been run between?

Ashwini008 · ‎03-02-2023

@ITWhisperer I need to monitor Jobs only at specific interval in dashboard. From source i am extracting job name and Timestamp of file generated. This Job generates anywhere between 9:30PM IST- 10:30PM IST . My below query is not checking for any time interval so before 9:30 PM also it is running the query and showing as "Job has not run". I need to check and run the query only after 9:30 PM and before that it should not run

ITWhisperer · ‎03-02-2023

So if I understand correctly, the report / dashboard search can be executed at any time but you want it ignore the fact that some jobs haven't been run (yet) if the time the job is executed is not between 9:30 and 10:30?

If so, how does the search know which jobs should be run in which timeframes?

Ashwini008 · ‎03-02-2023

@ITWhisperer That's correct. That is the challenge i am facing on how to check only specific jobs at specific interval. Can we write a query to check the condition only between 9:30 PM to 10: 30 PM

ITWhisperer · ‎03-02-2023

You could force your search to only return results (if there are any) when it is between certain times

| where now()>relative_time(now(),"@d+21h+30m") AND now()<relative_time(now(),"@d+22h+30m")

Ashwini008 · ‎03-02-2023

@ITWhisperer Thank You how do i exclude weekends from the query?

ITWhisperer · ‎03-02-2023

| where now()>relative_time(now(),"@d+21h+30m") AND now()<relative_time(now(),"@d+22h+30m") AND now()>relative_time(now(),"@w+1d") AND now()<relative_time(now(),"@w+6d")

Ashwini008 · ‎03-02-2023

@ITWhisperer I guess we can accept Answer only once per post! Anyway Thank You 🙂

How can I Monitor Jobs only at a specific interval in Dashboard?

configuration

development

using Splunk Enterprise

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation