I want to schedule a search so that it can be manually set to run without repetition during non-business hours when the demand for Splunk server searches is low.
I know how to save a search to the reports section and to setup the search to be repeated every day/week/etc. I also see that the saved search can be run right now by clicking run.
The best I can see at the moment is to schedule the search using the cron format. For instance,
01 00 20 03 * will run yearly on March 20th at one minute after midnight.
01 00 20 03 * 2014 should run once, but Splunk does not accept it with the optional year added.
(format: min hr day mon wkday year).
Is there a way to set a one-time run at a specified time (no future run events scheduled) without using cron? If not, this is a feature request for search scheduling (perhaps added to the initial search interface page).
The Splunk scheduler doesn't have Yearly schedule. Per documentation, the parameters (* * * * *) correspond to minute hour day month day-of-week. Splunk does not use the 6th parameter for year, common in other forms of cron notation.
One workaround I can suggest is to schedule the search with your cron (01 00 20 03 *) and then have an alert script to disable the job after execution. A sample command(for unix) could be like this:
curl -k -u adminUser:adminPassword -d "disabled=1" https://localhost:8089/servicesNS/adminUser/AppName/saved/searches/SearchName
adminUser= splunk user name with admin privilege
adminPassword=password for above user
AppName and SearchName= name of app containing the search to be disabled (SearchName).
Not an elegant solution but this may be the only way short of accepting a yearly job recurrence default. Requesting from Splunk a new feature for easy one-time run scheduling.
Your answer inspires me to think that we could just use cron (at the os level) or task manager (windows) to run a command line splunk API call to run the search.
A disabled report cannot be viewed - you will receive the message "There are no results because the report is disabled."
Unfortunately, it does not appear there is a way to schedule a report to run one time.