Splunk Search

How to schedule a JOB in splunk

gpant
Explorer

I have search job in splunk, and I have to run this job every day at a particular time. So, is there any option in splunk so that I can schedule this job for everyday at a particular time?

1 Solution

chimell
Motivator

Hi gpant
Look at an example and use it
1-From the Search Page, create the following search
index=_internal " error " NOT debug source=splunkd.log
earliest=-24h latest=now
2- ClickSave As > Alert.

3-Specify the following values for the fields in theSave As Alertdialog box:
Title: Errors in the last 24 hours
Alert type: Scheduled
Time Range: Run every day
Schedule:At 10:00
Trigger condition: Number of Results
Trigger if number of results: is Greater than 5
4-ClickNext.
5-Click Send Email.
6-Set the following email settings, using tokens in theSubjectandMessage
fields:
To: email recipient
Priority: Normal
Subject: Too many errors alert: $name$
Message: There were $job.resultCount$ errors reported on
$trigger_date$.
Include: Link to Alert and Link to Results

View solution in original post

chimell
Motivator

Hi gpant
Look at an example and use it
1-From the Search Page, create the following search
index=_internal " error " NOT debug source=splunkd.log
earliest=-24h latest=now
2- ClickSave As > Alert.

3-Specify the following values for the fields in theSave As Alertdialog box:
Title: Errors in the last 24 hours
Alert type: Scheduled
Time Range: Run every day
Schedule:At 10:00
Trigger condition: Number of Results
Trigger if number of results: is Greater than 5
4-ClickNext.
5-Click Send Email.
6-Set the following email settings, using tokens in theSubjectandMessage
fields:
To: email recipient
Priority: Normal
Subject: Too many errors alert: $name$
Message: There were $job.resultCount$ errors reported on
$trigger_date$.
Include: Link to Alert and Link to Results

javiergn
Super Champion

Take a look at this:

http://docs.splunk.com/Documentation/Splunk/6.3.2/Alert/Definescheduledalerts

Extract from the link above based on an actual example:

1. From the Search Page, create the following search. Select Last 24 Hours for the time range:
index=_internal (log_level=ERROR OR log_level=WARN* OR log_level=FATAL OR log_level=CRITICAL) | stats count as log_events

2. Select Save As > Alert 
The Save As Alert dialog box opens.

3. Specify Settings:

Title: Server Errors Last 24 hours
Alert Type: Scheduled
Time Range: Run Every Day
Schedule At: 0:00
Trigger Condition: Number of Results
Trigger if number of results: is Greater than 5

4. Specify Trigger Conditions:

Trigger alert when: Number of Results is Greater than 5
Trigger it: Once

5. Specify Trigger Actions:

Add Actions: List in Triggered Alerts
See Set up alert actions for information on other actions.

6. Click Save.
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...