Splunk Search

Schedule search to run one time only

landen99
Motivator

I want to schedule a search so that it can be manually set to run without repetition during non-business hours when the demand for Splunk server searches is low.

I know how to save a search to the reports section and to setup the search to be repeated every day/week/etc. I also see that the saved search can be run right now by clicking run.

The best I can see at the moment is to schedule the search using the cron format. For instance,

01 00 20 03 * will run yearly on March 20th at one minute after midnight.

01 00 20 03 * 2014 should run once, but Splunk does not accept it with the optional year added.
(format: min hr day mon wkday year).

Is there a way to set a one-time run at a specified time (no future run events scheduled) without using cron? If not, this is a feature request for search scheduling (perhaps added to the initial search interface page).

0 Karma
1 Solution

somesoni2
Revered Legend

The Splunk scheduler doesn't have Yearly schedule. Per documentation, the parameters (* * * * *) correspond to minute hour day month day-of-week. Splunk does not use the 6th parameter for year, common in other forms of cron notation.

One workaround I can suggest is to schedule the search with your cron (01 00 20 03 *) and then have an alert script to disable the job after execution. A sample command(for unix) could be like this:

curl -k -u adminUser:adminPassword -d "disabled=1" https://localhost:8089/servicesNS/adminUser/AppName/saved/searches/SearchName

where
adminUser= splunk user name with admin privilege
adminPassword=password for above user
AppName and SearchName= name of app containing the search to be disabled (SearchName).

View solution in original post

somesoni2
Revered Legend

The Splunk scheduler doesn't have Yearly schedule. Per documentation, the parameters (* * * * *) correspond to minute hour day month day-of-week. Splunk does not use the 6th parameter for year, common in other forms of cron notation.

One workaround I can suggest is to schedule the search with your cron (01 00 20 03 *) and then have an alert script to disable the job after execution. A sample command(for unix) could be like this:

curl -k -u adminUser:adminPassword -d "disabled=1" https://localhost:8089/servicesNS/adminUser/AppName/saved/searches/SearchName

where
adminUser= splunk user name with admin privilege
adminPassword=password for above user
AppName and SearchName= name of app containing the search to be disabled (SearchName).

View solution in original post

landen99
Motivator

Your answer inspires me to think that we could just use cron (at the os level) or task manager (windows) to run a command line splunk API call to run the search.

0 Karma

bnorthway_splun
Splunk Employee
Splunk Employee

A disabled report cannot be viewed - you will receive the message "There are no results because the report is disabled."

Unfortunately, it does not appear there is a way to schedule a report to run one time.

0 Karma

landen99
Motivator

Not an elegant solution but this may be the only way short of accepting a yearly job recurrence default. Requesting from Splunk a new feature for easy one-time run scheduling.

0 Karma

rmuraly
Explorer

What would be the command for Windows to do the same thing?

0 Karma

somesoni2
Revered Legend
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!