Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to schedule a JOB in splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have search job in splunk, and I have to run this job every day at a particular time. So, is there any option in splunk so that I can schedule this job for everyday at a particular time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi gpant
Look at an example and use it
1-From the Search Page, create the following search
index=_internal " error " NOT debug source=splunkd.log
earliest=-24h latest=now
2- ClickSave As > Alert.
3-Specify the following values for the fields in theSave As Alertdialog box:
Title: Errors in the last 24 hours
Alert type: Scheduled
Time Range: Run every day
Schedule:At 10:00
Trigger condition: Number of Results
Trigger if number of results: is Greater than 5
4-ClickNext.
5-Click Send Email.
6-Set the following email settings, using tokens in theSubjectandMessage
fields:
To: email recipient
Priority: Normal
Subject: Too many errors alert: $name$
Message: There were $job.resultCount$ errors reported on
$trigger_date$.
Include: Link to Alert and Link to Results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi gpant
Look at an example and use it
1-From the Search Page, create the following search
index=_internal " error " NOT debug source=splunkd.log
earliest=-24h latest=now
2- ClickSave As > Alert.
3-Specify the following values for the fields in theSave As Alertdialog box:
Title: Errors in the last 24 hours
Alert type: Scheduled
Time Range: Run every day
Schedule:At 10:00
Trigger condition: Number of Results
Trigger if number of results: is Greater than 5
4-ClickNext.
5-Click Send Email.
6-Set the following email settings, using tokens in theSubjectandMessage
fields:
To: email recipient
Priority: Normal
Subject: Too many errors alert: $name$
Message: There were $job.resultCount$ errors reported on
$trigger_date$.
Include: Link to Alert and Link to Results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Take a look at this:
http://docs.splunk.com/Documentation/Splunk/6.3.2/Alert/Definescheduledalerts
Extract from the link above based on an actual example:
1. From the Search Page, create the following search. Select Last 24 Hours for the time range:
index=_internal (log_level=ERROR OR log_level=WARN* OR log_level=FATAL OR log_level=CRITICAL) | stats count as log_events
2. Select Save As > Alert
The Save As Alert dialog box opens.
3. Specify Settings:
Title: Server Errors Last 24 hours
Alert Type: Scheduled
Time Range: Run Every Day
Schedule At: 0:00
Trigger Condition: Number of Results
Trigger if number of results: is Greater than 5
4. Specify Trigger Conditions:
Trigger alert when: Number of Results is Greater than 5
Trigger it: Once
5. Specify Trigger Actions:
Add Actions: List in Triggered Alerts
See Set up alert actions for information on other actions.
6. Click Save.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
