Splunk Search

How to schedule real-time search with a cron schedule in Splunk 6.2.1

shailesh030
Path Finder

I am trying to convert real-time searches in the dashboard to scheduled real-time searches to reduce performance overhead/tradeoff on indexer. I was looking to implement the suggestion in the below post

https://answers.splunk.com/answers/247134/how-to-improve-performance-of-a-shared-dashboard-w.html

I converted panels to reports, but when I click on "schedule search", I don't see an option for cron schedule coming up. Below are my "Start Time" and "Finish Time"

Start Time = rt-30m
Finish Time = rt

If i change the starttime and finish time to -30m and now respectively, I get an option to schedule using cron.

Am I doing this incorrectly or has the option to schedule real-time search has been removed in 6.2.1

0 Karma
1 Solution

woodcock
Esteemed Legend

Realtime search runs continuously so having a cron (rerun search at fixed interval) is nonsensical. For real-time saved searches, as soon as you click "Save", it will start running and KEEP running. Also be aware that the only benefit you get from scheduling is that all users share the same real-time search so this is only beneficial if you have simultaneous users of the dashboard.

View solution in original post

woodcock
Esteemed Legend

Realtime search runs continuously so having a cron (rerun search at fixed interval) is nonsensical. For real-time saved searches, as soon as you click "Save", it will start running and KEEP running. Also be aware that the only benefit you get from scheduling is that all users share the same real-time search so this is only beneficial if you have simultaneous users of the dashboard.

Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...