I have search job in splunk, and I have to run this job every day at a particular time. So, is there any option in splunk so that I can schedule this job for everyday at a particular time?
Hi gpant
Look at an example and use it
1-From the Search Page, create the following search
index=_internal " error " NOT debug source=splunkd.log
earliest=-24h latest=now
2- ClickSave As > Alert.
3-Specify the following values for the fields in theSave As Alertdialog box:
Title: Errors in the last 24 hours
Alert type: Scheduled
Time Range: Run every day
Schedule:At 10:00
Trigger condition: Number of Results
Trigger if number of results: is Greater than 5
4-ClickNext.
5-Click Send Email.
6-Set the following email settings, using tokens in theSubjectandMessage
fields:
To: email recipient
Priority: Normal
Subject: Too many errors alert: $name$
Message: There were $job.resultCount$ errors reported on
$trigger_date$.
Include: Link to Alert and Link to Results
Hi gpant
Look at an example and use it
1-From the Search Page, create the following search
index=_internal " error " NOT debug source=splunkd.log
earliest=-24h latest=now
2- ClickSave As > Alert.
3-Specify the following values for the fields in theSave As Alertdialog box:
Title: Errors in the last 24 hours
Alert type: Scheduled
Time Range: Run every day
Schedule:At 10:00
Trigger condition: Number of Results
Trigger if number of results: is Greater than 5
4-ClickNext.
5-Click Send Email.
6-Set the following email settings, using tokens in theSubjectandMessage
fields:
To: email recipient
Priority: Normal
Subject: Too many errors alert: $name$
Message: There were $job.resultCount$ errors reported on
$trigger_date$.
Include: Link to Alert and Link to Results
Take a look at this:
http://docs.splunk.com/Documentation/Splunk/6.3.2/Alert/Definescheduledalerts
Extract from the link above based on an actual example:
1. From the Search Page, create the following search. Select Last 24 Hours for the time range:
index=_internal (log_level=ERROR OR log_level=WARN* OR log_level=FATAL OR log_level=CRITICAL) | stats count as log_events
2. Select Save As > Alert
The Save As Alert dialog box opens.
3. Specify Settings:
Title: Server Errors Last 24 hours
Alert Type: Scheduled
Time Range: Run Every Day
Schedule At: 0:00
Trigger Condition: Number of Results
Trigger if number of results: is Greater than 5
4. Specify Trigger Conditions:
Trigger alert when: Number of Results is Greater than 5
Trigger it: Once
5. Specify Trigger Actions:
Add Actions: List in Triggered Alerts
See Set up alert actions for information on other actions.
6. Click Save.