Solved: How to schedule real-time search with a cron sched...

shailesh030 · ‎10-05-2015

I am trying to convert real-time searches in the dashboard to scheduled real-time searches to reduce performance overhead/tradeoff on indexer. I was looking to implement the suggestion in the below post

https://answers.splunk.com/answers/247134/how-to-improve-performance-of-a-shared-dashboard-w.html

I converted panels to reports, but when I click on "schedule search", I don't see an option for cron schedule coming up. Below are my "Start Time" and "Finish Time"

Start Time = rt-30m
Finish Time = rt

If i change the starttime and finish time to -30m and now respectively, I get an option to schedule using cron.

Am I doing this incorrectly or has the option to schedule real-time search has been removed in 6.2.1

woodcock · ‎10-06-2015

Realtime search runs continuously so having a cron (rerun search at fixed interval) is nonsensical. For real-time saved searches, as soon as you click "Save", it will start running and KEEP running. Also be aware that the only benefit you get from scheduling is that all users share the same real-time search so this is only beneficial if you have simultaneous users of the dashboard.

View solution in original post

woodcock · ‎10-06-2015

Realtime search runs continuously so having a cron (rerun search at fixed interval) is nonsensical. For real-time saved searches, as soon as you click "Save", it will start running and KEEP running. Also be aware that the only benefit you get from scheduling is that all users share the same real-time search so this is only beneficial if you have simultaneous users of the dashboard.

How to schedule real-time search with a cron schedule in Splunk 6.2.1

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Index This | I am a number but I am countless. What am I?

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience