Splunk Search

Schedule search to run one time only

landen99
Motivator

I want to schedule a search so that it can be manually set to run without repetition during non-business hours when the demand for Splunk server searches is low.

I know how to save a search to the reports section and to setup the search to be repeated every day/week/etc. I also see that the saved search can be run right now by clicking run.

The best I can see at the moment is to schedule the search using the cron format. For instance,

01 00 20 03 * will run yearly on March 20th at one minute after midnight.

01 00 20 03 * 2014 should run once, but Splunk does not accept it with the optional year added.
(format: min hr day mon wkday year).

Is there a way to set a one-time run at a specified time (no future run events scheduled) without using cron? If not, this is a feature request for search scheduling (perhaps added to the initial search interface page).

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

The Splunk scheduler doesn't have Yearly schedule. Per documentation, the parameters (* * * * *) correspond to minute hour day month day-of-week. Splunk does not use the 6th parameter for year, common in other forms of cron notation.

One workaround I can suggest is to schedule the search with your cron (01 00 20 03 *) and then have an alert script to disable the job after execution. A sample command(for unix) could be like this:

curl -k -u adminUser:adminPassword -d "disabled=1" https://localhost:8089/servicesNS/adminUser/AppName/saved/searches/SearchName

where
adminUser= splunk user name with admin privilege
adminPassword=password for above user
AppName and SearchName= name of app containing the search to be disabled (SearchName).

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

The Splunk scheduler doesn't have Yearly schedule. Per documentation, the parameters (* * * * *) correspond to minute hour day month day-of-week. Splunk does not use the 6th parameter for year, common in other forms of cron notation.

One workaround I can suggest is to schedule the search with your cron (01 00 20 03 *) and then have an alert script to disable the job after execution. A sample command(for unix) could be like this:

curl -k -u adminUser:adminPassword -d "disabled=1" https://localhost:8089/servicesNS/adminUser/AppName/saved/searches/SearchName

where
adminUser= splunk user name with admin privilege
adminPassword=password for above user
AppName and SearchName= name of app containing the search to be disabled (SearchName).

landen99
Motivator

Your answer inspires me to think that we could just use cron (at the os level) or task manager (windows) to run a command line splunk API call to run the search.

0 Karma

bnorthway_splun
Splunk Employee
Splunk Employee

A disabled report cannot be viewed - you will receive the message "There are no results because the report is disabled."

Unfortunately, it does not appear there is a way to schedule a report to run one time.

0 Karma

landen99
Motivator

Not an elegant solution but this may be the only way short of accepting a yearly job recurrence default. Requesting from Splunk a new feature for easy one-time run scheduling.

0 Karma

rmuraly
Explorer

What would be the command for Windows to do the same thing?

0 Karma

somesoni2
SplunkTrust
SplunkTrust
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...