Splunk Search
Highlighted

Schedule search to run one time only

Motivator

I want to schedule a search so that it can be manually set to run without repetition during non-business hours when the demand for Splunk server searches is low.

I know how to save a search to the reports section and to setup the search to be repeated every day/week/etc. I also see that the saved search can be run right now by clicking run.

The best I can see at the moment is to schedule the search using the cron format. For instance,

01 00 20 03 * will run yearly on March 20th at one minute after midnight.

01 00 20 03 * 2014 should run once, but Splunk does not accept it with the optional year added.
(format: min hr day mon wkday year).

Is there a way to set a one-time run at a specified time (no future run events scheduled) without using cron? If not, this is a feature request for search scheduling (perhaps added to the initial search interface page).

0 Karma
Highlighted

Re: Schedule search to run one time only

SplunkTrust
SplunkTrust

The Splunk scheduler doesn't have Yearly schedule. Per documentation, the parameters (* * * * *) correspond to minute hour day month day-of-week. Splunk does not use the 6th parameter for year, common in other forms of cron notation.

One workaround I can suggest is to schedule the search with your cron (01 00 20 03 *) and then have an alert script to disable the job after execution. A sample command(for unix) could be like this:

curl -k -u adminUser:adminPassword -d "disabled=1" https://localhost:8089/servicesNS/adminUser/AppName/saved/searches/SearchName

where
adminUser= splunk user name with admin privilege
adminPassword=password for above user
AppName and SearchName= name of app containing the search to be disabled (SearchName).

View solution in original post

Highlighted

Re: Schedule search to run one time only

Motivator

Not an elegant solution but this may be the only way short of accepting a yearly job recurrence default. Requesting from Splunk a new feature for easy one-time run scheduling.

0 Karma
Highlighted

Re: Schedule search to run one time only

Explorer

What would be the command for Windows to do the same thing?

0 Karma
Highlighted

Re: Schedule search to run one time only

SplunkTrust
SplunkTrust
0 Karma
Highlighted

Re: Schedule search to run one time only

Motivator

Your answer inspires me to think that we could just use cron (at the os level) or task manager (windows) to run a command line splunk API call to run the search.

0 Karma
Highlighted

Re: Schedule search to run one time only

Splunk Employee
Splunk Employee

A disabled report cannot be viewed - you will receive the message "There are no results because the report is disabled."

Unfortunately, it does not appear there is a way to schedule a report to run one time.

0 Karma